Beginning 10 of December of 2025, the AOC will implement a change in the size of the cryptographic keys of the end-entity certificates (citizenship, public workers and electronic seals). The current size of RSA 2048 will be replaced by RSA 3072, in line with the requirements of the eIDAS identity framework and the Ministry for Digital Transformation and the Public Service, which acts as supervisor.
This change responds to the forced migration established by the recommendations of the National Cryptological Center (CCN), collected in the CCN-STIC-221 guide, which establishes as a deadline the 31 of December of 2026 for the exclusive use of RSA keys longer than 3000 bits. This measure aims to strengthen the security of the cryptographic algorithms used by trust services, given the vulnerabilities detected in RSA keys of up to 2048 bits and advances in computing capacity and cryptanalysis techniques.
This step is part of a evolutionary process towards the adoption of keys and algorithms based on elliptic curves, planned for the next 2-3 years, in line with international trends in advanced cryptography.
The AOC has validated that cards, applications and services that use these certificates will continue to function correctly with the new RSA 3072 size. However, if customers have their own applications that they believe may present incompatibilities, they can request test certificates with RSA 3072 to verify its operation before the change date.
For any questions or to request sample certificates with RSA 3072, you can contact our Customer Service Center.
