On June 27, 2010 Thawte upgraded SSL123 and Thawte Web Server Certificates to the 2048 bit Thawte Primary Root CA. This root uses the SHA-1 hashing algorithm and 2048-bit RSA keys.
The upgrade of Thawte Code Signing Certificates took place on July 15, 2010.
There is no action necessary on your part for your existing certificates. Your current valid Certificates issued from our current MD5, 1024 bit RSA keys will continue to operate correctly and securely after the migration to the 2048-bit RSA keys.
You can download free trial Certificates from our Web site www.Thawte.com for testing Certificates that chain to a SHA-1, 2048-bit RSA key.
What is Changing?
Thawte is migrating its public root certification authorities from MD5, 1024 –bit RSA keys to 2048-bit RSA keys.
As part of this change, Thawte will be introducing industry best practices of using intermediate Certification Authority Certificates to sign all SSL and code signing certificates.
"Thawte Code Signing Certificates, SGC SuperCerts and Web Server Certificates with Extended Validation already utilize intermediate certificates. Only SSL123 certificates and Web Server Certificates are still issued as “unchained”, i.e. the certificates are issued directly by an online root. All Thawte SSL and Code Signing certificates issued after this root migration will be signed by an intermediate certificate that chains to a secure off line Root CA."
This change and the timing is in line with industry best practices Thawte follows to ensure the highest level of security as well as convenience for our customers. This change is an industry wide initiative, for example, the US National Institute of Standards and Technology (NIST), has recommended transitioning over to 2048 bit keys.
Browser vendors are also starting to require the use of SHA-1 and 2048 keys, e.g., Microsoft has stipulated requirements for all Certificates that require that all new Root Certificates must have a minimum be 2048-bit RSA keys and not use MD5 as the hashing algorithm..
What do I need to do?
There is no action necessary on your part. Your current valid Certificates issued from our MD5, 1024 bit RSA Roots will continue to operate correctly and securely. There is no need to replace your existing Certificates. Thawte is providing this advance information to ensure a smooth transition. Also, this information will help you in making your IT investment decisions e.g. ask the vendors if they support 2048-bit RSA keys etc.
Are test Certificates available?
You can download free trial Certificates from our Web site www.Thawte.com for testing Certificates with 2048-bit RSA keys. In order to test a true 2048 bit hierarchy, please ensure to generate 2048 bit keys for the test certificate.
Code Signing Trial certificates are unfortunately not available.
Are Extended Validation (EV) Certificates affected ?
This change does not affect EV Certificates. EV Certificates are already issued under 2048-bit RSA keys.
How can I get the new Thawte Intermediate CA's?
The new Thawte intermediate CAs are available at SO13881