Ask SSL Support Desk: I need a certificate that is FIPS 140-2 compliant. Are SSL Certificates FIPS 140-2 compliant?

What is Ask SSL Support Desk?

It is a summary of random questions that have one to the attention of Acmetek’s most awesome technical support reps. Answered and shared for the SSL Support Desk’s SSL Library which is designed to teach and educate the community.

Question:
Are SSL Certificates FIPS 140-2 compliant?

Short Answer:
Yes-ish.

But FIPS pertains more to the actual physical protection of digital certificate cryptographic modules. If a certificate authority such as Entrust, or Comodo did not follow the guidelines set by FIPS 140-2 compliance then they would be out of business.

If you got a EV CodeSigning certificate you will definitely get a FIPS 140-2 compliant certificate. This is because the actual certificate is installed on a single FIPS accredited usb flash drive token.

More Information:

The FIPS – Federal Information Processing Standard was created by the National Institute of Standards & Technology (NIST) to address security concerns on cryptographic modules and how they are managed. Modules such as hardware, software, firmware, or a combination of the three that implements some form of cryptographic function (encryption, hashing, message authentication, or key management) This would pertain to how Keypairs are created, how Certificate Authorities sign SSL, Code Signing, Client, Email, or IoT (Internet of Things) certificates.

FIPS 140-2 is in reference to themodulethat will storesensitive information such asSSLor CodeSigningcertificates tokens. When storing SSL Certificates, CodeSigning or Client ID certificates the FIPS standard alsoapplies to the algorithm’s that module uses to create the key pair.

For Example when enrolling for a certificate the user chooses to store that certificate on a Rainbow 2032 USB token. That token is considered to be FIPS 140-2 compliant because anNVLAP accredited Cryptographic and Security Testing (CST) Laboratories performed conformance testing of this cryptographic module.

Once a Crytographic Module passes the Security Requirements for Cryptographic Modules the vendor of that Module is provided a FIPS 140-2 Validation Certificate. Each certificate has a unique Certificate Number.
For more information on these Validation Certificates refer tohttp://csrc.nist.gov/groups/STM/cmvp/validation.html

There are 4 levels that pertain to FIPS 140-2 compliance ranging from the encryption modules used to the actual physical security to how FIPS is implemented.

Level 1:
Security level 1 deals with the basic security requirements of the approved cryptographic modules and approved algorithms used for encryption mostly on the software level.

Level 2:
Security level 2 takes into account the physical security monitoring mechanisms behind Security level 1. Monitoring mechanisms such as evidence of tampering, like tamper-evident coatings or seals that must be broken to attain physical access to the cryptographic modules. An example of this would be the top of a Snapple bottle. If the top seal is already popped before you purchased it then it means the bottle has been tampered with compromising the enjoyable drink inside.

Level 3:
Security level 3 deal with even more physical security mechanisms that are intended to have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic modules. The physical security mechanisms may include the use of strong building enclosures and tamper-detection/response circuitry. If there is a security compromise deletion of the cryptographic models will take place to ensure nothing is stolen.

Level 4:
Security level 4 deals with literal acts of god where the cryptographic modules are protected due to environmental conditions like flood, or voltage outages. These environmental conditions may be used by an attacker to thwart the cryptographic modules defenses.A cryptographic module is required to either include special environmental protection features designed to detect fluctuations, or to undergo rigorous environmental failure testing to provide a reasonable assurance that the module will not be affected by fluctuations outside of the normal operating range in a manner that can compromise the security.

Posted by:
Dominic Rafael
Senior Lead IT Engineer
Be sure to Subscribe!!

Ask SSL Support Desk: I need a certificate that is FIPS 140-2 compliant. Are SSL Certificates FIPS 140-2 compliant? - SSL Support Desk (2024)

FAQs

How do I get my FIPS 140-2 certificate? ›

To achieve FIPS 140-2 validation or certification, all components of a security solution, including both hardware and software, must undergo testing and approval by one of the NIST-accredited independent laboratories.

Read On ›

What is the FIPS 140-2 SSL certificate? ›

FIPS 140-2 Overview

This standard specifies the security requirements that will be satisfied by a cryptographic module. … The security requirements cover areas related to the secure design and implementation of a cryptographic module.

Discover More Details ›

How do I get an SSL certificate? ›

To get a certificate, you must create a Certificate Signing Request (CSR) on your server. This process creates a private key and public key on your server. The CSR data file that you send to the SSL Certificate issuer (called a Certificate Authority or CA) contains the public key.

How to verify FIPS 140-2 compliance? ›

How to tell if it's real FIPS 140-2. The easiest way to determine if your CSP is FIPS 140-2 certified is to check the NIST Cryptographic Module Validation Program (CMVP) website. Click here to search for a company's name in NIST's Validated Modules database.

See Details ›

Is FIPS 140-2 mandatory? ›

Most organizations and agencies mandate that any new cryptographic product used to protect their information be validated to FIPS PUB 140-2. Both the U.S (NIST) and Canadian (CSE) federal governments have adopted FIPS PUB 140-2.

Find Out More ›

How do I become FIPS-compliant? ›

FIPS compliance means a product meets all the necessary security requirements established by the U.S. government for protecting sensitive information. To be FIPS-compliant, a product must adhere to rigid standards, pass rigorous testing, and be certified by NIST.

Tell Me More ›

How do I know if my SSL certificate is FIPS compliant? ›

For example, ValidateCert.exe /validate c:\SSLCertFolder\myCertificate.pfx myStrongPassword

If SSL cert is not FIPs compliant you will see the following message: “Certificate is not FIPS 140-2 compliant”
If SSL cert is FIPS compliant you will see: “Certificate validated successfully and is compliant”

More items...

Show Me More ›

Is FIPS 140-2 obsolete? ›

The U.S. federal government's transition to the FIPS 140-3 cryptography standard has begun, with NIST announcing that all FIPS 140-2 certificates will be retired in September 2026.

Explore More ›

What is the FIPS 140-2 compliant protocol? ›

FIPS 140-2 compliance applies to all federal agencies using cryptographic security measures to protect sensitive but unclassified information. It applies to not only cryptographic hardware components and modules but software and firmware programs and modules as well.

Can I install my own SSL certificate? ›

Technically, anyone can create their own SSL certificate by generating a public-private key pairing and including all the information mentioned above. Such certificates are called self-signed certificates because the digital signature used, instead of being from a CA, would be the website's own private key.

Show Me More ›

How much does a SSL certificate cost? ›

On average, a Secure Sockets Layer (SSL) certificate costs around $60/year. However, the price can vary from $8 to $1000/year, depending on various factors, such as the number of domains one can protect, the validation process, the warranty, or the certificate authority itself.

Read The Full Story ›

Can I get an SSL certificate for free? ›

SSL For Free is a nonprofit certificate authority, and it works on all major browsers. Like Let's Encrypt and other SSL certificate authorities, SSL For Free offers certificates valid for three months at a time. Price: Always free for three months at a time. Then you must renew, for free, for another three months.

See Details ›

Is FIPS 140-2 Secure? ›

The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products, as defined in Section 5131 of the Information Technology Management Reform Act of 1996.

Get More Info Here ›

What ciphers are FIPS 140-2 compliant? ›

FIPS 140-2 mode cipher suites for TLS

Cipher suite hex code	Cipher suite name
[0xc025]	ecdh_ecdsa,aes_128_cbc,sha256,sha256
[0xc029]	ecdh_rsa,aes_128_cbc,sha256,sha256
[0x3c]	rsa,aes_128_cbc,sha256
[0x35]	rsa,aes_256_cbc,sha

11 more rows

How much does FIPS validation cost? ›

For FIPS 140-3

Scenarios:	Base fee:	Extended fee:
FIPS 140-2 IG G.8 Scenario 5 FIPS 140-3 Scenario 5FS
Security Level 1:	$8,000	$3,000
Security Level 2:	$10,000	$4,000
Security Level 3:	$10,000	$4,000

4 more rows

Oct 11, 2016

What is the FIPS 140-2 process? ›

FIPS 140-2 standard overview

The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products, as defined in Section 5131 of the Information Technology Management Reform Act of 1996.

View Details ›

Ask SSL Support Desk: I need a certificate that is FIPS 140-2 compliant. Are SSL Certificates FIPS 140-2 compliant? - SSL Support Desk (2024)

FAQs

How do I get my FIPS 140-2 certificate? ›

How much does a SSL certificate cost? ›