200609: Thawte does not certifies 512 bits keys anymore

As of September 2006, Thawte won't deliver certificates generated from 512-bit public keys anymore.

The minimum key length was 512-bit. It is now considered by specialists as insufficient. The new required length is 1024-bit. The goal being to increase security.

The public key is created by your software when generating the CSR (see Obtain a server certificate). In this process you have the choice of the key length. From now on, select 1024-bit (TBS interface displays an alert since early 2006 when you provide a CSR created from a 512-bit key).
Some old software (more than 5 years old) do not permit to create keys longer than 512-bit. If it is your case, your existing Thawte certificate won't be renewable and you won't be able to order new certificates.

In this situation, 2 scenarii:

• contact your software supplier to get 1024-bit-compatible version
• contact us, we may help you find a certificate from an other brand, still accepting 512-bit

The following software, that generate 512-bit by default, are also 1024-bit-compatible:

• MS IIS 4 SP6
• MS IIS 5 SP2+
• MS IIS 6
• Apache SSL and ModSSL (and any product using openssl for the keys generation)

The new browsers will display alerts during the connection when spotting 512-bit certificates and will classified them as 'untrustworthy'. It is already the case for:

• Opera 9

In order to keep your users' trust, we advise, if possible, to reissue your certificate on a 1024-bit basis. See Reissuance