2048-bit Key Length required for End-Entity Certificates
TC TrustCenter recommends already using a key length of 2,048 bits today and some of the certificates do require 2048-bit key length already.
TC TrustCenter will require the exclusive use of 2048-bit keys in any NEW certificates issued under its public roots as of December 15th 2010.
TC TrustCenter will require the exclusive use of 2048-bit keys in any NEW certificates issued under its public roots as of December 15th 2010.
What does that mean for you as a customer using TC Trust SSL, ID Store, EID or EID QuickStart?
Recognised Key Lengths and Algorithms
As a Certification Authority (CA) and as a provider of certification services TC TrustCenter is certified for compliance with several internationally recognized industry standards.Typically, such standards define a set of requirements a CA must fulfil in order to guarantee that the certificates issued are of sufficient quality.One of the critical parameters is the cryptographic quality of the keys supported. Because of progresses in mathematics, cryptology, and computing power some key lengths are not longer considered safe in future. Therefore, the standards define minimal requirements for cryptographic algorithms and associated key lengths. In order to guarantee cryptographic quality Certification Authorities are recommended to adhere to these requirements:
- The National Institute of Standards and Technology (NIST) generally recommends increasing key lengths to 2048 bits by the end of 2010.
- The Windows® Root Certificate Program from Microsoft completely prohibits the registered certification authorities from issuing certificates with 1024 bits below a public root as of 01/01/2011.
- The Mozilla Root Certificate Program permits the issuing 1024 bit RSA certificates only until end 2010
TC TrustCenter recommends already using a key length of 2048 bits today and some of the certificates offered by TC TrustCenter do require 2048-bit key length already.
Following the above mentioned standards TC TrustCenter will require the exclusive use of 2048-bit keys in any NEW certificates issued under its public roots as of December 15th 2010.
The public TC TrustCenter Root Certificates are already using the 2048 bit RSA key.
What does that mean for you as a customer using TC Trust SSL, TC ID Store, TC Enterprise ID or TC EID QuickStart ?
Deadline: 15th December 2010:
- Ensure your IT infrastructure and applications are ready to consume 2048 bit keys. In particular if you are using smart cards the supported key length depends on the smart card.
- Be aware that all certificates have to be requested with 2048 bit keys. Please make sure that the CSRs (Certificate Signing Requests) are created with 2048 bit key length. If you are using scripts to create certificate requests, please update these respectively.
- In some cases (e.g. for Domain Controller IDs) you may have to modify your configuration file according to the required key size.
- Any keys generated in end-entity browsers (e.g. for TC Personal IDs) will be 2048 bit as no shorter key length will be supported any longer. If your browser version doesn't support 2048 bit, please update to a new browser version (MS IE 5+, Firefox 2+, Opera 9+).
