Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2012-05-29 16:14:21.0

TN 7710 - Entrust is moving to 2048-bit RSA keys. Why?

Question

Why is Entrust, along with all of the other publicly trusted certification authorities, moving to 2048-bit RSA keys?

Answer

The US National Institute of Standards and Technology (NIST) has issued NIST Special Publication 800-57, Recommendation for Key Management.  In 800-57, NIST advises that 1024-bit RSA keys will no longer be viable after 2010 and advises moving to 2048-bit RSA keys.  NIST advises that 2048-bit keys should be viable until 2030.
 
Based on the NIST recommendations, the CAB Forum and Microsoft have implemented requirements to move from 1024-bit to 2048-bit RSA.
 
CAB Forum requirements for Extended Validation Certificates 
  • Requires a minimum of 2048-bit RSA keys for Root and Subordinate CAs.
  • Requires a minimum of 1024-bit RSA keys for end entity certificates and 2048-bit keys for end entity certificates that expire after 31 December 2010.
Microsoft requirements for all certificates 
  • All new Root certificates must have a minimum be 2048-bit RSA keys.
  • 1024-bit Roots will be removed from the Microsoft Root Certificate Program by 31 December 2010.
  • All end entity certificates issued after 31 December 2013 must have a minimum of 2048-bit RSA keys.
In order to comply with NIST, the CAB Forum and Microsoft, Entrust has taken the following steps:
  • Deployed a new root called 'Entrust.net Certification Authority (2048)' which has a 2048-bit RSA key.
  • Deployed a Subordinate CA (L1C) that will be used in conjunction with the 2048 Root to increase the security of both the Root and the end entity server certificates. This is an industry standard architecture and Entrust was one of the few remaining Certificate Authorities issuing certificates directly from the Root.
  • Have begun the transition to signing our SSL certificates from the L1C Subordinate CA. This affects all certificates that have an expiry date beyond 31 December 2010. It will also affect any Certificate Management Service (CMS) account that was created after 1 November 2008.
  • Please note that in order to deploy your SSL certificate, you will also need to install an L1C Chain Certificate to the 2048 Root.  The Chain Certificate only needs to be installed on the server that the SSL certificate is installed on. This will allow the end user software to follow the certification path directly to the Root.

Affected Products:

  • Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 1 Year Mutual SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 1 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 1 Year WAP Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 2 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 2 Year Mutual SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 2 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 2 Year WAP Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 3 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 3 Year Advantage SSL Version Not Applicable Language Not Applicable Windows
  • Entrust Certificate Services 3 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 3 Year WAP Certificate Version Not Applicable Language Not Applicable Windows
  • Entrust Certificate Services 4 Year Advantage SSL Certifcate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Accelerator Licenses Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Additional Administrator Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Additional Client Organization and Domain Names Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Additional Domain Names Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Additional Organization Names Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Advantage Certificates Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Affiliate Operations Module for SSL Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Cert Admin Advantage Server Certificate 1 Year Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Cert Admin Advantage Server Certificate 2 Year Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Cert Admin UCC SSL - 1 Year Version Not Applicable English Windows
  • Entrust Certificate Services Cert Admin UCC SSL - 2 Year Version Not Applicable English Windows
  • Entrust Certificate Services Certificate Administrator 3 Year SSL Certificates Version Not Applicable Language Not Applicable Windows
  • Entrust Certificate Services Certificate Administrator EV SSL - 1 Year Version Not Applicable Language Not Applicable Windows
  • Entrust Certificate Services Certificate Administrator EV SSL - 2 Year Version Not Applicable Language Not Applicable Windows
  • Entrust Certificate Services Certificate Manager 7.0 English Windows
  • Entrust Certificate Services Cross Certificate Fee - CASP Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Cross Certificate Fee - Enterprise Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Enhanced Service Account Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services EV Certificate - 1yr Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services EV Certificate - 2yr Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services EV SSL - 1 Year Version Not Applicable English Windows
  • Entrust Certificate Services EV SSL - 2 Year Version Not Applicable English Windows
  • Entrust Certificate Services Extended Validation Certificate Units Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Extended Validation Certificates Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services SSL Mgmt Service Account 1 YR Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services SSL Mgmt Service Account 2 YR Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services SSL Mgmt Service Account 3 YR Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services SSL Mgmt Service Account 4 YR Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services SSL Mgmt Service Account - Non-Pooling Version Not Applicable ALL Platform Not Applicable
  • Entrust Certificate Services Standard Certificate - 1 Year Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Standard Certificate - 2 Year Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Standard Certificate - 3 Year Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Standard Certificate - 4 Year Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Standard Certificate Units Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Standard Certificates Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services UC Certificate - 1 Year Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services UC Certificate - 2 Year Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services UC Certificate - 3 Year Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services UC Certificate - 4 Year Version Not Applicable English Windows
  • Entrust Certificate Services UC Certificate - 4 Year Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services UC Certificates Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services UCC Certificate - 1 and 2 year Version Not Applicable English Windows
  • Entrust Certificate Services UCC SSL - 1 year Version Not Applicable English Windows
  • Entrust Certificate Services UCC SSL - 2 year Version Not Applicable English Windows
  • Entrust Certificate Services UCC SSL - 3 year Version Not Applicable English Windows
  • Entrust Certificate Services Web Hoster Service Account Version Not Applicable English Platform Not Applicable
  • Entrust Certificate Services Wildcard Certificate Units Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Wildcard Certificates Version Not Applicable Language Not Applicable Platform Not Applicable