When setting up an SSL certificate, you may find information that mentions the terms “key size” and “1024-bit length”. In this article, we will explain what these terms mean, but first, let’s review the term “bit” .
What is a bit?
A bit is the smallest unit of information in any computer. In a binary value, a bit can be either 1 or 0. Physically, this means that the device “understands” one sort of voltage as 1 and another sort as 0, using specific logics. Modern computers are designed to manipulate, store, and execute data in bits.
Now that we understand what a bit is, we can understand what a bit length (also known as key size or key length) used in SSL encryption is.
Encryption used in SSL certificates is based on asymmetric algorithms in which a pair of keys is used. Both of these Keys, private and public, are mathematical objects with their own structure. An essential part of both objects is a modulus. So when we refer to the key length, we actually interpret it as the size of the modulus converted in binary format (bits).
When you generate a CSR code for SSL activation, you are asked to select the “key size”, that is, to choose which modulus size will be used for your data encryption. It is worth mentioning that the length of the key also corresponds to the security strength of the SSL. Thus, the longer the key, the more combinations one needs to try in order to break it and get the encrypted data.
Starting January 1st, 2014, certificates which had 1024 bit key size were considered vulnerable and therefore were deemed invalid. New SSL certificates with 1024-bit keys are no longer issued by Certificate Authorities and it is also not possible to activate a certificate using a 1024-bit key CSR at Namecheap. According to new industry standards, the minimum key size which is accepted by our system is 2048 bits.
In addition to the 2048-bit key, you may also activate your certificate with a 4096-bit key. However, we would not recommend creating CSR with longer keys. SSL certificates using 4096-bit keys can influence website performance, since key exchange is slower with larger keys. These large keys also increase the load on the server and slow down website loading. 2048-bit keys are expected to be completely secure through 2030.
Should you have any old certificate with us which was activated with a 1024-bit key, please make sure to reissue it via your account using the CSR generated with a 2048-bit key.
To check which Private Key your installed certificate uses, please navigate to this online tool > type in your domain > click on the “Check” button > navigate to the “General Information” section > check the “Key size” value.
Alternatively, if you have your SSL certificate file, you can decode it in the tool and check the “Key size” value there.
It is also possible to check the key size with the OpenSSL command. In order to check the key size of the installed website (which is accessible via https:// protocol), please type the following in the command line:
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -text -noout | grep "Public-Key"
If you would like to check your SSL file (example.crt), the following command can be used:
openssl x509 -in example.crt -text -noout | grep "Public Key"
Also, it is possible to retrieve the key size from the exact Private Key file (example.key):
openssl rsa -in example.key -text -noout | grep "Private-Key"
The result in all three cases will look something like this: Public-Key: (2048 bit)
Once reissue is completed and a new certificate is received, please install it on the server using the correct Private Key generated.