Microsoft Security Advisory (2661254) | Update For Minimum Certificate Key Length

  • Article

This is to inform you that Microsoft is announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length. This is a necessary step to enhance your security as today, keys smaller than 1024 bits cannot be seen as secure anymore. The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

The update is available on the Download Center as well as the Microsoft Update Catalog for all supported releases of Microsoft Windows. In addition, Microsoft is planning to release this update through Microsoft Update in October, 2012 after customers have a chance to assess the impact of this update and take necessary actions to use certificates with RSA keys greater than or equal to 1024 bits in length in their enterprise.

Recommendation:-

Microsoft recommends that customers download the update and assess the impact of blocking certificates with RSA keys less than 1024 bits in length before applying the update to their enterprise.

Known Issues.

Microsoft Knowledge Base Article 2661254 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues.

Suggested Actions:

1. The package will push out via Windows Update only in OCT 2012 (but it is already available in the Download Center). Since you have time on hands, please use it to assess the impacts and make necessary changes.

2. PLEASE READ the advisory 2661254 to understand the situation. It only affect certificates with RSA key length less than 1024 bits.

3. Please read the “KNOWN ISSUES” section to understand the impact of applying the fix

4. Test this in a UAT (non-production environment) before applying entire production CA servers

Technical Reference:

- Main advisory: https://technet.microsoft.com/en-us/security/advisory/2661254

PKI Blogs:

o https://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx

o https://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx

o https://blogs.technet.com/b/pki/archive/2012/08/14/blocking-rsa-keys-less-than-1024-bits-part-3.aspx

SRD Blog:

https://blogs.technet.com/b/srd/archive/2012/07/10/microsoft-s-continuing-work-on-digital-certificates.aspx

AD troubleshooting:

https://blogs.technet.com/b/instan/archive/2012/08/03/how-to-identify-if-your-adcs-has-issued-any-certificates-with-public-keys-lt-1024-bits-in-preparation-for-kb2661254.aspx

Please feel free to reach out to us for any clarifications and questions.

Regards,

Aviraj Ajgekar

Technical Evangelist

Microsoft Corporation