2048 Key Size Requirement
- Important Note:
-
Effective 1 January 2011, Digi-Sign will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure.
- Official, Technical Explanation
-
The fact that NIST, PKIX, WebTrust and other respective security standards and certifications consider the 1024 bit key size as no longer secure and therefore a recommendation is made to use 2048 bit or larger key sizes in X.509 public key certificates. All commercial CAs participating in WebTrust and complying to the latest security standards must follow this recommendation with immediate effect and therefore Digi-Sign must fully comply with this security mandate.
The upgrade to 2048 keys should have no real impact on your server environment as fully patched servers should be capable of handling this size of key. In addition, SSL/TLS clients that support only 128 bit encryption, will be able to verify the signature of the server using a public key certificate with 2048 bit key.
We realise the above security upgrades may initially cause some issues to your organisation but rest assured that it is in your best security interest to follow these security recommendations.
In the event that you mistakenly submit a 1024 bit key, you will be required to re-generate the CSR against a 2048 bit private key and submit your CSR via the certificate request form or to your sales representative. For technical instructions and support, visit the Digi-SSL™ support section of this site.
Related Links:
