Updated May 2, 2011 - correct URL to NIST SP 800-131 from the Draft Publication to the final NIST SP 800-131A.

We based our technical requirement for migrating away from 1024-bit RSA certificates on NIST Guidance, and NIST updated it with 800-131 - http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf.  

In general this means that CAs should continue to deploy stronger key length certificates, and the vast majority of CAs have already migrated to 2048-bit RSA in most scenarios; but if they must continue to issue 1024-bit RSA end-entity certificates in certain contexts (e.g. hardware, smart cards, and other devices in capable of accepting longer key lengths), those certificates should be considered “deprecated” or “restricted” according to the use of those terms, defined in the NIST document.

In any event, end-entity 1024-bit certificates should not expire after December 31, 2013.

Questions?  Contact casubmit@microsoft.com

Return to the Windows Root Certificate Program - Technical Requirements Main Page