Google will also be changing the root certificate that signs all of its SSL certificates, since it also still uses a less-secure 1024-bit key. The company says it will begin switching to the new 2048-bit certificates on August 1, giving itself a solid five months to “ensure adequate time for a careful rollout before the end of the year.”
That’s still over three months away, but Google is announcing its plan now because it knows some configurations will require extra steps to avoid complications. The company specifically mentions client software embedded in devices such as some phones, printers, set-top boxes, gaming consoles, and cameras.
As a result, client software that makes SSL connections to Google (usually in the form of HTTPS) must adhere to the following requirements:
- Perform normal validation of the certificate chain.
- Include a properly extensive set of root certificates contained.
- Support Subject Alternative Names (SANs).
For the second point, Google offers an example set in its FAQ which should be sufficient. That being said, the firm warns the contents of the list may change over time, so clients should make sure they have a way to update it themselves as changes occur.
Last but not least, Google notes clients should, but are not required to, support the Server Name Indication (SNI) extension as they may need to make an extra API call to set the hostname on an SSL connection. If you’re not sure your client is using SNI, test it against https://googlemail.com — this URL will only validate if you are sending SNI.
Again, most will not be affected by this change. If you think you will be, however, you’ll want to read over the more technical details in this document: How to Use X.509 Certificates and SSL For Secure Communications.
Top Image Credit: Miguel Saavedra