Mozilla products including the popular Firefox browser will stop trusting SSL certificates that were issued using old root CA certificates with 1024-bit RSA keys.
“If you manage an SSL-enabled website, this change will not impact you if your certificates and the certificates above it have 2048-bit keys or more,” states a Mozilla security blog post. “If your SSL certificate has a 1024-bit key, or was issued by a certificate with a 1024-bit key, then you will need to get a new SSL certificate, and update the certificates in your Web server.”
When a user access to a website it presents its SSL certificate that is verified on the client side by browser by using the above CA digital certificates.
Following the exclusion of the CA certificates starting from Firefox 36, the company and its products will no longer trust SSL certificates that chain back to the roots and users will present a message that inform them of an “untrusted connection error”.
Mozilla has started the Phasing out Certificates with 1024-bit RSA Keys in September 2014, when the company excluded from the Firefox 32 CA certificates issued by EMC/RSA, Entrust, GoDaddy, NetLock, SECOM and Symantec / VeriSign.
“For many years, Mozilla, NIST, the CA/Browser Forum, and others have been encouraging Certification Authorities (CAs) to upgrade their 1024-bit RSA keys to a stronger cryptographic algorithm (either longer RSA keys or ECDSA)” states Mozilla in a previous post. “We are actively working with CAs to retire SSL and Code Signing certificates that have 1024-bit RSA keys in an effort to make the upgrade as orderly as possible, and to avoid having system administrators find themselves in emergency mode because their SSL keys were compromised.”
Mozilla plan to conclude the phasing out of CA certificates in the first half of 2015, it has announced the removal of two more Equifax root certificates owned by Symantec, one of which is still “very widely used.”
(Security Affairs – Mozilla, CA certificates)