[BlueOnyx:21509] Certficate 4096 bit keys

Ernie ernie at info.eis.net.au
Sun Nov 5 18:50:08 -05 2017

Seems that Symantec/Thawte have changed their SSL certificate requirements


"Symantec???s next generation Web PKI hierarchy aims to modernize and streamline our TLS certificate offerings.
At the highest level, we are creating two new Symantec-branded root certificates, one RSA and one ECC. These reflect industry-standard best practices for algorithms and key sizes: 4096-bit RSA key, P-384 ECC key, and SHA-256 used in the signing algorithm. With this new hierarchy all public TLS certificates will be issued from these roots; this includes the Symantec, Thawte, GeoTrust and RapidSSL branded certificates.
>From these two root certificates, we are signing intermediate CA certificates for Symantec, Thawte, and GeoTrust brands. Within each brand, we???ll have separate RSA and ECC intermediate CA certificates for Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV) certificates. Under the RapidSSL brand, we???ll have OV and DV intermediate CA certificates, but no EV intermediate CA certificate.
In addition, we plan to cross-sign the new roots from several of our existing root certificates, to allow certificates in the new hierarchy to be trusted by clients that are not yet aware of the new roots.
Symantec expects to issue all new public TLS certificates from the new roots by 1 December, 2017. Note that we will evaluate customer requests for new public TLS certificates from our existing roots after that time. Any certificates issued from the old roots after that time will not be trusted by all browsers, but will operate properly for non-browser

Are the keys generated by BlueOnyx campatible with this 4096-bit RSA key

- Ernie.


More information about the Blueonyx mailing list