Tag Archives: SSL Sertificates

Difference Between 1024bit, 2048bit and 4096bit SSL Root Keys

When you need to buy an SSL certificate you first have to generate CSR – certificate signing request. This process depends on the type of software that you use on your server, but you will always have to choose what would be the length of your root key. A lot of people do not pay attention on that fact.

So what’s the difference between 1024bit, 2048bit and 4096bit root keys?
The 1024bit was the old industry standard for SSL certificates. Since 2010 this length is no longer safe enough. However, you can still find a lot of websites using SSL certificates issued on 1024bit root key.

Where can I find the length of the SSL root key when looking at a web site?
All you have to do is click on the certificate indication in your browser and then go to “View certificate”. There you can find all the information from public key and root key length itself.

Why is 1024bit root key no longer safe enough?
This key length has already been broken once, that’s why you don’t have guarantee that won’t happen again with your website. You should make sure your root key is at least 2048bit when generating your CSR. This encryption level hasn’t been cracked yet and it is safe.

The largest certification authorities and their partners have already quit accepting root keys shorter than 2048bit. This means that you’ll be automatically informed that the CSR you generated is not long enough. Yet, you should be aware that some companies still issue low cypher SSL certs. It is up to you to generate your CSR correctly.

Isn’t it better to have 4096bit certificate rather than 2048bit?
In fact it doesn’t really matter if your SSL certificate has 4096bit or 2048bit root key, because both are uncrackable. If you’re buying your SSL just for one or two years you don’t really need the longer key, because standards will not change so fast. Even if they do, you can always reissue your SSL with new CSR based on longer root key. But if you are getting four or five years SSL you can generate your CSR with 4096 root key just in case.

Can every certification authority issue 4096bit root key SSL certificate?
Yes, you can get such certificate from most of SSL providers. In fact this depends only on you. If you generate your certificate signing request (CSR) on 4096bit your SSL will be issued with this length root key. The certification authority cannot change that on their end. On the other side, if your CSR is generated on 1024bit root key you will have to start all over again and create at least 2048bit CSR.

Now you are well equipped for picking up the best for your purposes.