Phase 2: Phasing out Certificates with 1024-bit RSA Keys

In the previous post about certificates with 1024-bit RSA keys we said that the changes for the second phase of migrating off of 1024-bit root certificates were planned to be released in Firefox in early 2015. These changes have been made in Firefox 36, in which the following 1024-bit root certificates were either removed, or their SSL and Code Signing trust bits were turned off.

  • Verizon <>
    • CN = GTE CyberTrust Global Root
      • SHA1 Fingerprint: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
  • Symantec
    • CN = Thawte Server CA
      • SHA1 Fingerprint: 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
    • CN = Thawte Premium Server CA
      • SHA1 Fingerprint: 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
    • OU = Class 3 Public Primary Certification Authority – G2
      • SHA1 Fingerprint: 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
    • CN = Equifax Secure eBusiness CA-1
      • SHA1 Fingerprint: DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41

If you manage an SSL-enabled website, this change will not impact you if your certificates and the certificates above it have 2048-bit keys or more. If your SSL certificate has a 1024-bit key, or was issued by a certificate with a 1024-bit key, then you will need to get a new SSL certificate, and update the certificates in your Web server. If the intermediate certificate that you are using has a 1024-bit key, then you will need to download the 2048-bit intermediate certificate from the Certification Authority (CA), and update the certificate chain in your Web server. For your convenience, links to the impacted CAs are provided in the list above.

Please check your SSL certificates and replace any with 1024-bit RSA keys, and contact<> if you have comments or concerns.

Mozilla Security Engineering Team

1 response

  1. Mozilla wrote on :