by John Pederson reprinted from WiscNet News

Short answer: The primary short-term concern about this increase in root cert size is for out-of-date / out-of-support software that is not capable of generating a 2048 bit Certificate Signing Request (‘CSR’) for requesting a cert.

Clear as mud? Servers that want a SSL certificate need to generate a CSR, which is then used by the Certificate Authority (‘CA’, i.e., GeoTrust) to generate your SSL certificate.  There are likely some servers, mostly older and out of date, that are not capable of generating a 2048 bit CSR.  Without a CSR, you can’t get a SSL cert.

What should I do? If you have older server software that is going to need a SSL cert in the next year or so, you may wish to verify with the vendor whether it is capable of generating a 2048 bit CSR.  If it can, no sweat, take care of your cert renewal as you usually would.  If your server is NOT capable of generating a 2048 bit CSR, either upgrade the server to a version that is capable OR buy yourself some time and contact to get a new GeoTrust cert BEFORE July 22nd, 2010, while you can still order a cert with a 1024 bit CSR.

The fine print: While you can buy yourself time, GeoTrust will only be allowing certs ordered between now and July 22nd to be a maximum of three years in duration.

Why don’t I just order certs from someone other than GeoTrust? You may be able to, but ALL CA’s have either already made the change to 2048 bit roots or are in the process, like GeoTrust, of making the change.  See more about why this is all happening in the “Long answer” below.

Long answer: More information on the 2048 bit root migration in GeoTrust’s words.


Comments are closed on this post.

Scroll to Top