On December 9 2010, RapidSSL will upgrade its public root certificate authorities (CAs). All SSL certificates enrolled subsequently will be signed from the upgraded CA structure and hierarchy.
The upgrade will increase the RSA key length, and related strength, of each CA from 1024-bit to 2048-bit. Certificates from the new CAs will be issued from intermediate roots, creating a stronger, chained CA hierarchy.
- Existing valid certificates issued off of current 1024-bit RSA keys will continue to operate correctly and securely after the upgrade.
What is Changing?
RapidSSL® is updating its public root certificate authorities (CAs) from 1024-bit RSA keys to 2048-bit RSA keys.
As part of this change, RapidSSL will be introducing the use of an intermediate certificate authority to sign all SSL certificates – an industry best practice.
After this root migration, all RapidSSL certificates issued will be signed by an intermediate certificate that chains to a secure 2048-bit off-line Root CA.
This change is in line with industry best practices that RapidSSL follows to ensure the highest level of security for customers. The move to 2048-bit Root Keys is an industry-wide initiative. Moreover, the U.S. National Institute of Standards and Technology (NIST) has recommended transitioning to 2048-bit keys.
Browser vendors are also starting to require the use of 2048-bit keys – e.g., Microsoft is requiring the upgrade for any roots that it will include in its products. Microsoft will no longer be accepting 1028-bit roots after 12/31/2010.
When is this change going to take effect?
The migration to 2048-bit RSA keys is targeted for December 9, 2010.
What do I need to do?
There is no action necessary on the part of RapidSSL customers. Valid certificates issued off of 1024-bit RSA Roots will continue to operate correctly and securely. There is no need to replace existing certificates.
RapidSSL is providing this advance notice to keep you informed and to ensure a smooth transition.
RapidSSL has created a live test site secured with the new 2048 bit hierarchy:
You can get a copy of the new RAPIDSSL CA from our test site RapidSSL