Root Certificates with 1024-bit RSA Keys are Being Removed

Bruce Morton

Entrust has been working since 2010 to educate our customers on the migration away from 1024-bit RSA keys. We updated our policy in 2011 and summarized the status in 2013. Entrust has implemented migration and do not issue any RSA certificates less than 2048-bit keys and have discussed continued issuance using our 1024-bit root.

By the end of 2013 all compliant certification authorities (CAs) migrated their customers from SSL certificates with 1024-bit RSA keys to certificates with 2048-bit keys or another acceptable alternative. Now in 2014, the operating system and browser vendors will start to remove the 1024-bit root certificates that many have been embedded in the software for almost 20 years.

Mozilla will make the first move by removing some 1024-bit roots in the Firefox 32 release. The Entrust 1024-bit root certificate will be removed at that time. However, Mozilla has found there may be a complication due to the lazy system administrators.

In some cases, an intermediate CA was cross-certified by a 1024-bit root. For customers who bought a long-life certificate, they may still have an installation using a 1024-bit root that still validates in 2014 and may validate for a few more years. These customers were provided with an updated intermediate CA certificate signed by a 2048-bit root, but may not have installed this certificate.

In this case, Mozilla has tried to mitigate this problem by temporarily embedding a new version of the intermediate CA certificate signed by the 2048-bit root. This means that a new path will be provided to validate the website’s certificate.

Microsoft is also planning to remove the 1024-bit root certificates as early as November 2014. In the past Microsoft has configured Windows, so it will not trust any key of less than 1024-bits.

Entrust is in full support of the removal of the 1024-bit roots. It is good for the public-trusted certificate industry to have programs to strengthen the specifications and mitigate possible future attacks.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation