** CAs who continue to issue certificates with RSA key size smaller than 2048 bits must use randomness in the serial number or in one of the fields in the DN.
* '''December 31, 2013''' – Mozilla will begin disabling disable or removing remove all root certificates with RSA key sizes smaller than 2048 bits.
Caveats to proposed dates: