Transferring from 1024 to 2048 SSL | Symantec Website Security Solutions

1024-Bit Migration Informational WebinarAndrew HorburyProduct Marketing Managerhttp://go.symantec.com/1024

The Topic• The National Institute of Standards and Technology

(NIST) Special Publication 800-131A calls for the end of 1024-bit certificate usage by 31 December 20132

• The Certification Authority/Browser (CA/B) Forum requires the end-of-life for all 1024-bit certificates and code signing products by 31 December 20131

• Symantec fully supports the NIST and CA/B Forum positions: staying ahead of encryption factoring is the duty of every responsible CA3

1024-Bit Migration Webinar

1. CA/Browser Forum, Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates v.1.1.3, CA/Browser Forum (21 February 2013), https://www.cabforum.org/Baseline_Requirements_V1_1_3.pdf.2. Elaine Barker and Allen Roginsky, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, NIST (January 2011), http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf.3. Symantec, 2013 Industry Requirements: Ending Support for 1024-bit keys. Upgrade to 2048-bit keys or ECC Certificates, Symantec Corporation (May 2013),http://go.symantec.com/1024.


Microsoft, Windows Root Certificate Program - Technical Requirements, Microsoft Corporation (6 April 2011), http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements.aspx.


Mozilla, Mozilla CA Certificate Maintenance Policy (Version 2.1), Mozilla (8 May 2013), http://www.mozilla.org/projects/security/certs/policy/MaintenancePolicy.html.

The RSA Algorithm

• First publically described by Ron Rivest, Adi Shamir, and Len Adleman in 1977

• Since 1991, 17 RSA key lengths have been factored (hacked)


Ending the life of a key size is a natural point

in the lifecycle of any algorithm.

RSA Key Sizes Factored Over Time


Aug 1999

512Nov 2005

640July 2012

704

Dec 2003

576Dec 2009

768 ?1024

Our Responsibility–to the industry, to trust online, and to you

• We want to assist you through this key size’s lifecycle end• What you need to know: http://go.symantec.com/1024


• We have a number of resources to support you through this key size’s lifecycle end

• Ready now: http://go.symantec.com/1024• For certificates expiring this year: – Symantec will allow them to expire naturally– Get help with generating a new Certificate Signing Request (CSR) at

http://go.symantec.com/1024

• For certificates expiring in 2014 and later:– Symantec is initiating a rolling revocation process, beginning 1 October 2013– Helps customers adopt new encryption levels before year-end IT blackout

periods and busy holiday online shopping


Generate a new CSRThis page has every tool you need to generate a new CSR for a compliant certificate.

Our Responsibility – to the industry, to trust online, and to you

Keeping It Simple

Certificate expires:

2013Certificate expires:

2014+Generate a new Certificate Signing Request with a valid key length before/when your certificate expires.

Revoke and replace your Certificate with a valid certificate before 1 October 2013.


Do Your Part

1. Find your 1024-bit certificates– Run a test on your fully qualified domain name (FQDN) to check for key

length.

2. For certificates expiring this year: – At renewal, generate a CSR using a 2048-bit RSA key

3. For certificates expiring in 2014 and later:– Revoke and replace all 1024-bit certificates with a CSR using a 2048-bit

RSA/DSA or 256-bit ECC key (Read more about ECC http://bit.ly/13dZQZn– Symantec™ Managed PKI for SSL customers can configure 1024-bit

certificates with a customized expiration date before the deadline


Check your certificate’s encryption strengthEasily determine the key-length of your certificates.

http://go.symantec.com/1024

http://bit.ly/13dZQZn

http://bit.ly/13dZQZn

Save This Screen(Windows: “Alt-PrintScreen” or Mac: “Command-Shift-3”)

• http://go.symantec.com/1024• http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf• http://www.cabforum.org/Baseline_Requirements_V1_1_3.pdf• http://social.technet.microsoft.com/wiki/contents/articles/

1760.windows-root-certificate-program-technical-requirements.aspx• http://www.mozilla.org/projects/security/certs/policy/

MaintenancePolicy.html• http://www.symantec.com/page.jsp?id=how-ssl-works&tab=secTab4• http://go.symantec.com/certificate-intelligence-center



Trust Center AccountUnited Kingdom: email: [email protected]: 0808 234 2897 or 0808 101 3911 (Cable and mobiles)

France: email: [email protected]: 0800 91 40 81 Spain: email: [email protected]: 900 99 4142

Germany: email: [email protected]: 0800 183 0624

Denmark: email: [email protected]: 80 88 20 30

Sweden: email: [email protected]: 020-799270


Managed PKI for SSLUnited Kingdom: email: [email protected]: 0808 234 2897 or 0808 101 3911 (Cable and mobiles)

France: email: [email protected]: 0800 91 40 81 Spain: email: [email protected]: 900 99 4142

Germany: email: [email protected]: 0800 183 0624

Denmark: email: [email protected]: 80 88 20 30

Sweden: email: [email protected]: 020-799270

Thank you!

Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Andrew Horburyhttp://go.symantec.com/1024