Skip to main content

CertCentral: Key size restrictions for Private SSL/TLS certificates

Private TLS/SSL versus Public TLS/SSL

Private TLS/SSL certificates do not require public trust. Therefore, the CA/Browser forum does not regulate what you can and cannot do when issuing these certificates.

Public TLS certificates require public trust and must comply with the CA/Browser forum's Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates and browser vendors’ policy.

1024-bit RSA key size

Because there are no restrictions on the minimum allowed key size for Private TLS certificates, DigiCert allows our Private SSL certificate customers to use a 1024-bit RSA key size to issue their Private SSL certificates. However, 1024-bit RSA keys are weak.

With the advances in cryptography, computing power, and the rise of quantum computing, 1024-bit RSA keys do not provide sufficient security as they are vulnerable to cyber-attacks. Using 1024-bit RSA keys for encryption increases the risk of exposing sensitive data to eavesdropping, decryption, and data breach.

Private SSL: Sunsetting the 1024-bit RSA key size

Because 1024-bit RSA keys no longer offer adequate security, DigiCert plans to end support for 1024-bit RSA keys for Private SSL. Later this year (2025), DigiCert will stop accepting 1024-bit RSA CSRs.

Note: For public TLS, you must use 2048-bit RSA keys or larger. If you enter a 1024-bit RSA CSR in the request form, we prevent you from submitting your certificate request until you use a supported key size.

Helping Private SSL certificate customers transition to a new minimum key size

In CertCentral, PKI Administrators can use the product settings to set the minimum RSA key size for their Private SSL certificates. See the Update your Private SSL OV certificate's minimum RSA key size instructions below.

  • 2048-bit minimum RSA key size

    If you set the minimum RSA key size to 2048-bit and the certificate requestor enters a 1024-bit RSA CSR in the request form, they receive the error message below. The message lets them know they are using an unsupported key size and cannot proceed until they enter a new CSR.

    “The CSR uses an unsupported key size. Please generate a new CSR.”

  • 1024-bit minimum RSA key size

    If you set the minimum RSA key size to 1024-bit and the certificate requestor enters a 1024-bit RSA CSR in the request form, they receive the warning message below. The message lets them know the key size is weak and they should use a 2048-bit RSA key size instead.

    “This weaker key size is currently still allowed for private TLS certificates. DigiCert recommends using a 2048-bit or greater key size to remain secure.”

Update your Private SSL OV certificate's minimum RSA key size

You can use the instructions to update the minimum RSA key size for any Private SSL product in your account. In step three, select the private SSL product you want to update.

  1. In CertCentral, in the left menu, go to Settings > Product Settings.

  2. On the Product Settings page, do the following before updating your product settings:

    1. Account-wide or division specific

      In the For menu, select the division to which the product settings apply.

      If you select the main or top-level division, the product settings apply to all the divisions in CertCentral.

    2. All user roles or a specific user role

      1. To apply the product settings to a specific user role, select Configure products by role.

        To apply the product settings to all user roles, do not select or deselect Configure products by role.

      2. In the Role column, select the role the settings apply to and then configure the product settings.

  3. In the Product column, select Private SSL OV.

  4. In the Product Settings column, under Private SSL OV, in the Minimum RSA key size menu, select the minimum key size the requestor must use when generating the CSR for the certificate request:

  5. When ready, scroll to the bottom of the page and select Save Settings.

  6. The next time someone requests a Private SSL OV certificate, they must provide a CSR that aligns with your new Minimum RSA key size setting.

Data di pubblicazione: