What RSA key length should I use for my SSL certificates?

Question

I\'m in the process of creating a CSR, and I wonder which is arguably the best length for my RSA key.

Of course, 384 is probably too weak, and 16384 is probably too

Answer 1

As of 2020, RSA keys should be 2048 bits.

1024 bits

• 1024 bits RSA certificates are obsolete and not accepted by browsers.
• Firefox stopped accepting 1024 bits RSA certificates in 2014.
• Certificate authorities stopped delivering 1024 bits RSA certificates in 2014 or before. See GlobalSign or Comodo notice.
• 1024 bits keys were deprecated because they could be cracked given a small datacenter (thousands of CPU or hundreds of GPU, in maybe a few months). It may seem a lot but it was well within reach of any large organization or government.

2048 bits

• 2048 bits RSA certificates are currently the accepted norm in use.
• Default baseline delivered by CA and used by software.
• Will eventually be cracked too. Don't know when but could take decades.
• Doubling the size takes many many orders of magnitude more compute power to crack. See question how much stronger is RSA 2048 compared to 1024.

4096 bits

• 4096 bits RSA certificates are the next step
• Widely available and supported. All major CA can provide both 2048 and 4096 bits RSA, including let's encrypt.
• Computational cost is not linear with key size. 4096 is not twice as slow as 2048, it is maybe 10 times slower to process. Do not blindly upgrade certificates to 4096 bits without considering the performance impact.
• The "web" is largely remaining on 2048 bits certificates because it cannot bear the hardware cost for 4096 bits. Consider large actors like Google, CloudFlare, NetFlix with immense traffic and hardware footprint.

3072 bits

• 3072 bits is not a thing. Jump straight to 4096 bits.
• It's entirely possible to do 3072 bits cryptography, it's just that no software really implement, support and advertise it officially.
• Historically, there was an attempt circa 2010-2015 to launch 3072 for use-cases where the extra computational cost of 4096 is not ideal. It faded away but there are still some old articles spreading the merits of (faster) 3072.

Extra

• RSA was first publicly described in 1977 and it's still strong almost 50 years later. Just have to increase the number of bits to keep up with faster computers.
• There is another method for public key cryptography based on elliptic curves, see ECDSA (1992).
• There is a huge disconnect between the capacity of a user and of an attacker. A web server or a mobile client have one (low-power) CPU. An attacker can have a whole datacenter, for reference a newly built AWS datacenter is hosting about 60 000 servers.
• It is incredible that a single mobile device can compute some maths over a few seconds... that millions of computers couldn't dream to guess in a lifetime.

Answer 2

ENISA recommends 15360 Bit. Have a look to the PDF (page 35)

http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report/at_download/fullReport

Answer 3

For SSL certificates used on websites, this text from the Thawte.com website (as at 2014-07-22) is important to note:

Industry standards set by the Certification Authority/Browser (CA/B) Forum require that certificates issued after January 1, 2014 MUST be at least 2048-bit key length.

Answer 4

This coming August, Microsoft is going to deploy a patch to Server 2003/2008, Win7 ect.. that will require the use of a minimum 1024 bit RSA key. So you might as well start making that your "bare minimum" standard.

Answer 5

I needed to create several new SSL certs and was not satisfied with the answers above because they seemed vague or out dated so I did a little digging. Bottom line the selected answer is correct use "2048-bit keys... longer is meaningless".

Increasing the bit length to 4096 adds a potentially meaningful load to your server (depending on your existing load) while offering basically an insignificant security upgrade

If you are in a situation where you need longer than a 2048 bit key you don't need a longer bit length, you need a new algorithm

Answer 6

As many customers require compliance with NIST cryptographic standards, I use the guidance in the NIST Special Publication 800‑57, Recommendation for Key Management Part 1, §5.6. Most of our applications are a good fit for 112 "bits" of security, so that corresponds to triple-DES (or a small bump up to 128-bit AES) for symmetric ciphers and a 2048-bit key for RSA. See Table 2 for a rough equivalence.

Valid or not, being able to refer them to a NIST publication helps customers feel better about security (if they bother to ask).