The Problem
SSL certificate providers are moving from certificates signed with 1024–bit RSA keys to the new 2048-bit RSA key standard. One article explaining the background and significance of the issues this can cause; also an article from VeriSign about the migration.
For our particular web application, we have hundreds of customer systems who connect to our system via SOAP API calls over HTTPS and via HTTPS POSTs. A secondary issue is end users who browse to the HTTPS URLs. For end users, the upgrade from a VeriSign 1024-bit cert to a new 2048-bit cert should not have a massive impact as most browsers/operating systems will trust the new root CA. The legacy systems that connect to us are a different story, developed up to 10 years ago they are on a variety of hardware and OS flavours and have varying certificate management strategies. The impact if they don't trust the new root CA is catastrophic, as their systems that have been running with no problems for years will suddenly stop working. The fix is simple, but requires an administrator to apply on their server.
Potential Solutions
- Delay the upgrade for as long as possible (Tricky as the certs will expire in the next year and no reputable providers issue 1024-bit certs.)
- Contact each customer and walk them through the upgrade process (Possible but difficult as the technical contact that did the original implementation may no longer be around)
How are other organisations handling this problem?