Enforcement of 3072-bit RSA Key will strengthen Code Signing Certificate
A 3072-bit key length is a new RSA Key Size that the SSL industry is going to use in Code Signing Certificate. Yes, you have heard right! The CA/Browser Forum earlier accepted the NIST recommendation to use 3072-bit key size, which stated that a stronger key is required to enhance SSL security and for that the CA/Browser forum baseline clearly states to adopt 3072-bit key size for Code Signing and time stamp certificates on June 1, 2021. An RSA key is used to sign software and its updates. It is believed that a longer key means a greater extent of security in the SSL industry.
About Key Length
Before discussing the change in key size, let us understand key length. A key length represents a number in bit size. A key is used in the certificate for signing and encryption purposes. when the NIST recommends increasing the number of key sizes means a robust digital signature is on the way. The reason to increase the key size is to secure the future of digital signature with powering digital signature. To break such an enhanced key, there should be more processing computational power because a large key takes time in decryption. An attacker cannot damage the integrity of software code and manipulate the software due to increased code signing certificate key length.
Change in Key Size
The earlier 1024-bit key size was assumed safe for SSL certificate but with the rise in technology and computer processor, the NIST recommended using 2048-bit key size, which is almost double in size than its predecessor key. So, we just got a 2048-bit key size in eight years. Now, the NIST recommended implementing 3072-bit key length in its SP 800-57 Part 1 Rev. 5 publication released in May 2020 to enrich the security level.
The CA/Browser forum also voted in favor of the NIST recommendation in the year 2020 and they agreed to implement a new key from June 1, 2021.
What About Code Signing Certificate Users?
- Users who already have a Code Signing certificate do not need to worry as they can enjoy a 2048-bit RSA key with their current certificate.
- Users who are going to get a Code Signing certificate after June 1, 2021, will have the latest 3072-bit RSA key.
- However, if a current user is trying to reissue or renewing the existing certificate then, a user should mention a 3072-bit key size instead 2048-bit key size.
- So, if you are using a 2048-bit key size certificate, it is wise to reissue the current Code Signing certificate and enjoy the latest 3072-bit key size certificate.
Find Your Key Size in Certificate
It is easy to find the key size in your browser. We have given below easy steps for Windows to find the applied key size in a certificate.
- First you need to click on search icon and type .exe (for example, Firefox Installer.exe).
- Now, click on exe file. You will have a dialogue box where you need to click on “Show more details”.
- Click on “Show More Details” link and it will show “show information about the publisher’s certificate”
- You will have a Certificate box where you can find three tabs (General, Details, and certificate path)
- You need to click on the “Details” tab and scroll down to the Public key field.
- Against the Public key field, you will find key size (2048 or 3072-bit key length) in the Value column.
NOTE: If you have a 2048-bit key size in your certificate details, then it is time to reissue the current Code Signing certificate and get a new 3072-bit key size certificate.
Change in key size is a welcome step for Code Signing users and it will not make any harm to users. It is time for developers to reissue or renew a Code Signing certificate with the latest key size to make software security robust. Once you reissue the certificate, the certificate authority and the OS vendors will deal with the technical background as they have updated their infrastructure according to the new key size to issue a new certificate with 3072-bit key size. Do not wait for long and just grab the enriched 3072-bit key length for your Code Signing certificate.