53

I was recently requesting a SSL cert via GoDaddy and noticed this message:

Make sure the CSR you generate uses a 2048-bit or greater key length

In the past I have always generated 2048-bit CSR requests, but this time it got me thinking that perhaps I should "step it up," and it seems like the next step would be a 4096-bit version.

There isn't much info available on 4096-bit SSL certs - but apparently many people have been using 1024-bit certificates until they absolutely had to upgrade and now some browsers won't support the 1024-bit certificates anymore.

How is browser support for 4096-bit certificates? If GoDaddy requires "at least" a 2048-bit certificate, is that enough, or should I try and do something more? If so, what are the advantages and disadvantages?

PS: the two links in GoDaddy's message are CSR Help and Learn more, neither of which I found very helpful.

a cat
  • 654
  • 1
  • 10
  • 17
cwd
  • 53,018
  • 53
  • 161
  • 198
  • 10
    I suspect you're probably safe with 2048 for a few more years. 2^2048 is a very big number; 3.23x10^616. Even assuming that a 1048 bit key was factorisable by your average desktop, which it's not in any non-significant length of time you've got years before a 2048 bit key is. Unless you're protecting bank accounts etc it's probably not worth the extra time it'd take to compute each time you do something ( which is the disadvantage ). – Ben Dec 10 '11 at 01:41
  • 1
    Thank you. That looks like an answer more than a comment, not that I'm not open to others' feedback. – cwd Dec 10 '11 at 01:49
  • @Ben Note that a 2048-bit RSA key "only" has similar strength against a brute force attack as a 112-bit symmetric key. Similarly, 1024-bit RSA is equivalent to 80-bit symmetric, and 3072-bit RSA is equivalent to 128-bit symmetric. [Source](http://www.rsa.com/rsalabs/node.asp?id=2004) – ntoskrnl Jun 20 '13 at 06:47
  • @ntoskrnl The "source" link about comparable key strength seems outdated, but Stackexchange has the info in a very nice form here: http://crypto.stackexchange.com/questions/8687/security-strength-of-rsa-in-relation-with-the-modulus-size – David Tonhofer Apr 03 '15 at 13:52
  • @Ben, Very soon 2048 is going to be unsafe. Better to upgrade now. See http://security.stackexchange.com/questions/65174/4096-bit-rsa-encryption-keys-vs-2048#comment219184_65180 for more info. – Pacerier Apr 12 '16 at 15:01
  • @Pacerier “Very soon 2048 is going to be unsafe” Where do you get this? All the sources I know give it at least until 2022 ([BSI](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile) seems to be the most conservative). – Gilles 'SO- stop being evil' Apr 12 '16 at 15:33
  • I wrote that 5 years ago @Pacerier, and the sources you cite still seem to agree with it.... – Ben Apr 12 '16 at 16:05

4 Answers4

34

Pretty much all* browsers will support 4096-bit keys. The issue you'll run into is that key exchange is slower with larger keys, which will increase load on the server and slow down page loading on the client.

2048-bit keys are generally considered safe for the time being. If you want an intermediate step, though, 3072-bit keys are right smack-dab in the middle.

*: Only exception might be a couple of weird, old mobile / embedded browsers.

  • Thanks. I noticed generating a 4096 bit key took a whole lot longer as well, and the final size of it was bigger as well. – cwd Dec 10 '11 at 02:21
  • 4
    Performance is the reason why almost all sites use 2048-bit RSA, and some busy sites like Google use 1024-bit RSA. – ntoskrnl Jun 20 '13 at 06:48
  • 5
    Just to update: On 18 Nov 2013, Google announced that its SSL certificates have been upgraded to 2048-bit RSA. http://googleonlinesecurity.blogspot.fr/2013/11/out-with-old-stronger-certificates-with.html – Candice Jan 23 '14 at 09:01
  • 1
    Any idea of how much slower 4096 is then using a 2048? Any benchmarks? – Justin Sep 12 '14 at 20:13
  • 3
    Server side there can be some limitations, [cloudfront i.e. does not support 4096 bit certificates (max of 2048bit)](http://stackoverflow.com/questions/17537498/having-trouble-associated-ssl-cert-with-amazon-cloudfront) – Alexander Jung-Loddenkemper Oct 06 '14 at 20:09
  • @AlexanderJung-Loddenkemper, This is not a trouble with "server side", this is an Amazon host problem. – Pacerier Apr 12 '16 at 15:04
  • @Justin, Here's an anecdotal benchmark: https://blog.nytsoi.net/2015/11/02/nginx-https-performance – Pacerier Apr 12 '16 at 15:06
  • @ntoskrnl, **No way,** 2048 with 128 symmetrical is the bare minimum. – Pacerier Apr 12 '16 at 15:20
  • @Pacerier I agree. My earlier comment is three years old, and Google did use 1024-bit keys back then. Now, of course, they have upgraded to 2048-bit keys. – ntoskrnl Apr 12 '16 at 15:40
  • @ntoskrnl, 2048 is the bare minimum [even at that time](http://stackoverflow.com/a/589850/632951). If Google did use 1024 back then, it's simply because they have too many things in their backlog (think: Google Plus) and people weren't complaining enough about security back then (pre-[Snowden](https://en.wikipedia.org/wiki/Edward_Snowden) era). (Curiously, your comment was 10 days *into* snowden era.) Think about it, if 1024 is not OK in year-X, then it's not OK in 3 years before year-X. For example, if 3 years later 2048 is not OK, it wouldn't be OK now. – Pacerier Apr 13 '16 at 14:02
  • 1
    @Pacerier I agree. I don't seem to have implied otherwise in my comment (or at least I did not intend to). In fact, I have commented about key strength on the question above as well. – ntoskrnl Apr 13 '16 at 14:25
16

If you are going to use Amazon CloudFront, they only supports up to 2048 bit keys as of today.

References:

Community
  • 1
  • 1
tnj
  • 921
  • 7
  • 12
6

If you have a 4096 bit SSL certificate, in order to support some clients (especially Java-based clients and some older clients) you will want to generate a 2048 bit or 1024 bit Diffie-Hellman Key and add it to your server certificate. However, if you support a 1024 bit DH key you should also be aware of the Logjam attack. You can accommodate these clients easily by adding a DH key of the appropriate size, but first carefully consider which clients you want to support.

Parker
  • 7,244
  • 12
  • 70
  • 92
2

Hi sorry for answering SOOO OLD thread, but the main point in "NOT" creating 4096 cert is, your CA cert will be 2048, so creating sub cert 4096 is pointless... when even having 2049 bit long cert will make attacker attack your CA cert instead yours.

BiG_NoBoDy
  • 71
  • 1
  • 7