If you review your network environment, you'll probably find that your company has several commercially issued SSL certificates and some self-signed SSL certificates. SSL certificates are used to secure things such as Microsoft Exchange Server's Outlook Web Access (OWA), SharePoint, SSL VPN appliances, and, of course, other websites. The National Institute of Standards and Technology (NIST) has issued a statement that says SSL certificates with a key length of 1,024 bits or fewer will be insufficient for security after December 31, 2010, because NIST estimates that computers will be powerful enough to perform a brute-force crack of keys of that size. For more information about this recommendation, refer to "Recommendation for Key Management." Surprisingly, there are quite a few large companies doing business on the web that still use SSL certificates with 1,024-bit keys.
You might be asking yourself, Should I care? Of course, only you can answer that question. But if you went through the hassle of installing an SSL certificate on a site in the first place, you probably do care about the security of your data on that site. So let's look at how you determine what the key length of your current certificates is and investigate some considerations you might need to address when updating 1,024-bit keys to 2,048-bit keys in your environment.
Determining SSL Key Length
You might be unsure of what key lengths your current keys have. One easy way to determine the key length of any SSL certificate is through Internet Explorer (IE) by following these steps:
- Using IE, navigate to the site where the SSL certificate is installed.
- Click the padlock (Security Report) immediately to the right of the URL, then click View Certificates.
- Click the Details tab and scroll down until you see the Public key field. As Figure 1 shows, the SSL key length is shown in parenthesis.
Figure 1: Checking the key length of an SSL certificate through IE
In this example, the SSL certificate was issued with a 2,048-bit key, so it complies with the NIST recommendation. In case you were wondering, NIST estimates that an SSL certificate with a 2,048-bit key will be viable until 2030. Of course, you can use this method to check not only your company's SSL certificates but also the SSL certificates of any company that has a secure website (i.e., a website that uses HTTPS). If you or your end users frequently visit secure websites (e.g., a 401k site), you might want to check the certificates for those sites to see if they comply with NIST's recommendations. If you find any that don't, you might consider contacting the companies to see when they plan to upgrade their SSL certificates.
Don't wait to reissue any 1,024-bit SSL certificates you find in your network because you could run into unforeseen problems that will delay the process. SSL certificates with a 1,024-bit key will probably be more common for certificates that were renewed for a period of two years or more. For commercial SSL certificates, some vendors, such as Go Daddy, let you re-key an existing SSL certificate so that you don't have to purchase a new certificate if you just want to increase the key length of the certificate.