There is a new standard in town. All certificates from here on out will be at least 2048-bit encryption (or ECC), rather than the older 1024-bit. This is a new requirement that will be permanently in place by January 1, 2014, set forth by the one and only Certificate/Browser (CA/B) Forum. All new certs and renewals that are being issued are already 2048-bit, so no need to worry.
Overall, this is good news, because this just simply means SSL is getting stronger. As computers continue to become more powerful, the old 1024-bit certs become more vulnerable to being hacked by sophisticated computer processing capabilities. So, the easy answer is to beef up encryption so that these computers aren’t powerful enough to hack….it will take another 10-15 years or so before a computer would have enough muscle to even think about it again.
What do you need to do?
First, you need to determine if you have any active 1024-bit certificates. Then depending on when those certificates expire, you will need to renew or reissue by October 1st, 2013.
- If you are buying or renewing before January 1, 2014, you will just need to use a 2048-bit Certificate Signing Request (CSR) when buying/renewing.
- If your certificate expires after January 1, 2014, you’ll need to revoke and reissue the certificate with a 2048-bit key length certificate by October 1st, 2013. It is 100% absolutely FREE to do this and you will still get all of the time remaining on your current cert. All you have to do is login to your control panel and reissue your certificate and use a 2048-bit CSR.
Your step-by-step instructions
We just want to make sure you are 100% clear on what to do, so we made some step-by-step instructions.
- Check if you have a 1024-bit certificate expiring before January 1, 2014. You should receive an email from us if you do, but you can also check using this SSL Certificate Checker to check the key length of your cert. If yes, proceed to #2.
- Make sure your server can support a 2048-bit certificate. Most servers can handle it, but in some cases it might not be able to. If you are not sure, just contact our support team at support@SSLhelpdesk.com. If yes, proceed to #3.
- Revoke your current certificate and then reissue. After you revoke the certificate from your server, login to your control panel on our site and reissue the cert in question.
- Generate your CSR. Make sure to use a 2048-bit CSR and you should be all set. You will not have to go through the vetting process again and you will get all the time remaining on your current cert. Please do this by October 1st, 2013.
In a nutshell
- Renew certificates with a 2048-bit key length that expire before December 31, 2013.
- Revoke and Reissue all 1024-bit certificates that expire after January 1, 2014 by October 1, 2013.
You can also check out more information at NIST guidelines or Mozilla’s CA Certificate Maintenance Policy.