Microsoft to remove at any time soon all 1024-bit rsa roots from their trusted list


By now you will probably be aware of the transition from the standard 1024-bit to 2048-bit for RSA-based SSL certificates. This isn’t recent news, but we thought a reminder could be useful if you are unsure about the validity of your own certificates.

Why are certificates with less than 2048-bit key lengths being phased out?

In order to retain a pre-emptive stance against attacks, NIST (National Institute of Standards and Technology: a US agency working to develop and apply technology standards) guidelines have suggested discontinuing the use of 1024-bit certificates at the end of this year. Browsers and Commercial CAs within the CA/Browser Forum have decided to abide by this recommendation and have created steadfast rules to proactively convert end-users to higher levels of signing.

Microsoft will be initiating the last step of this transition by removing all 1024-bit root certificates from Microsoft computers’ trusted list.
The impact of this removal is incredibly significant. Microsoft owns more than 90% of the Operating System market share, meaning any SSL certificate linked to a 1024-bit root certificate will no longer be valid for 90% of computers worldwide once the 1024-bit roots removed from Microsoft's trusted list.

Take action now and check that your SSL certificate has been reissued or renewed with a minimum 2048-bit RSA public key. Follow this quick process to find out which root is linked to your SSL certificate:

  • On your web browser, go to the website secured by your SSL certificate, click on the padlock next to the URL and click on “View certificate information” (below is a screenshot from Chrome)

  • Open the “Certification Path” tab, click on the root certificate (at the top) and click on “View certificate”.

  • Open the “Details” tab and look for the “public key” field. If you see anything lower than 2048 as value, you must reissue your certificate with a 2048-bit key.

If you cannot view your SSL certificate details from a browser, you can still decode your CSR (all our clients can access their CSRs on MySSL®). If the key size displayed is lower than 2048-bit, you must reissue your certificate with a 2048-bit key: go to your certificates details on your MySSL® account, or contact your account manager.

Microsoft has not announced the precise date when 1024-bit roots will be removed from Microsoft’s Trust list, but our platinum partner Symantec has already advised to reissue all 1024-bit SSL certificates before August 31st, 2014.

For more information, feel free to contact our web security experts at or on 0203 143 4120.

Share this:

Posted on Friday 01 August 2014 by Charlotte Pommier

Return to blog

Send us your comments

Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!