Please be aware that there is a pending change for the minimum key length for certificates with RSA keys. The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
The update is available on the Download Center as well as the Microsoft Update Catalog for all supported releases of Microsoft Windows. In addition, Microsoft is planning to release this update through Microsoft Update in October, 2012 after customers have a chance to assess the impact of this update and take necessary actions to use certificates with RSA keys greater than or equal to 1024 bits in length in their enterprise.
Recommendation: Microsoft recommends that customers download the update and assess the impact of blocking certificates with RSA keys less than 1024 bits in length before applying the update to their enterprise. Please see the Suggested Actions section of in the advisory for more information.
This update will impact HTTPS web services which have a RSA key length of less than 1024 bits. Examples will include Outlook, Exchange web services and web browsers. This article discusses the impact of KB2661254 to Internet Explorer.
Known issues with this security update, after the update is applied:
- A restart is required.
- A certification authority (CA) cannot issue RSA certificates that have a key length of less than 1024 bits.
- CA service (certsvc) cannot start when the CA is using an RSA certificate that has a key length of less than 1024 bits.
- Internet Explorer will not allow access to a website that is secured by using an RSA certificate that has a key length of less than 1024 bits.
- Outlook 2010 cannot be used to encrypt email if it is using an RSA certificate that has a key length of less than 1024 bits. However, email that has already been encrypted by using an RSA certificate with key length that is less than 1024 bits can be decrypted after the update is installed.
- Outlook 2010 cannot be used to digitally sign email if it is using an RSA certificate that has a key length that is less than 1024 bits.
- When email is received in Outlook 2010 that has a digital signature or is encrypted by using an RSA certificate that has a key length of less than 1024 bits, the user receives an error that states that the certificate is untrusted. The user can still view the encrypted or signed email.
- Outlook 2010 cannot connect to a Microsoft Exchange server that is using an RSA certificate that has a key length of less than 1024 bits for SSL/TLS. The following error is displayed: "Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. The security certificate is not valid. The site should not be trusted."
- Security warnings of "Unknown Publisher" are reported, but installation can continue in the following cases:
- Authenticode signatures that were time stamped on January 1, 2010 or on a later date, and that are signed with a certificate by using an RSA certificate that has a key length of less than 1024 bits are encountered.
- Signed installers signed by using an RSA certificate that has a key length of less than 1024 bits.
- ActiveX controls signed by using an RSA certificate that has a key length of less than 1024 bits. Active X controls already installed before you install this update will not be affected.
There are four main methods for discovering if RSA certificates with keys less than 1024 bits are in use:
- Check certificates and certification paths manually
- Use CAPI2 logging
- Check certificate templates
- Enable logging on computers that have the update installed
To quickly check a single certificate the Public Key attribute can be inspected using the Certificates MMC snap-in as shown below. If you need steps to open the Certificates MMC please read this.
This certificate is OK as it has a 2048 bit key.
For more details on the additional methods to check and information on resolutions please read the full Security Advisory for this update.
Cheers,
Rhoderick.
