September ANS and an important heads-up concerning certificates

Hello there. As we prepare for September’s two security updates, we’d like to remind you about an important change to Windows’ certificate requirements included in Security Advisory 2661254 (Update For Minimum Certificate Key Length). In June, we began communicating this change, which will help improve security across the Windows platform by increasing the requirement for certificates used in Public Key Infrastructure (PKI) to an RSA key length minimum of 1024 bits. By raising the bar of our certificate requirements, as part of our ongoing work to evaluate Microsoft’s security efforts and make improvements, we aim to help create a safer more trusted Internet for everyone.

As many of you are aware, Security Advisory 2661254 was initially made available in August via the Download Center and the Microsoft Update Catalog, with distribution through Windows Update planned for October 2012. To help ensure that all customers are prepared for the update, we are reiterating those announcements before releasing the requirement change with our monthly bulletins on Oct. 9.Though many have already moved away from such certificates, customers will want to take advantage of September’s quiet bulletin cycle to review their asset inventories – in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they “still work” and have not had any cause for review for some time.

For those who find they are using certificates with RSA key lengths of less than 1024 bits, those certificates will be required to be reissued with at least a 1024-bit key length. (1024 should, by the way, be considered a minimum length; the most up-to-date security practices recommend 2048 bits or even better.) We recommend that you evaluate your environments with the information provided in Security Advisory 2661254 and your organization is aware of and prepared to resolve any known issues prior to October.

Some known issues that customers may encounter after applying this update may include:

  •       Error messages when browsing to web sites that have SSL certificates with keys that are less than 1024 bits
  •       Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
  •       Difficulties creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
  •       Difficulties installing Active X controls that were signed with less than 1024 bit signatures
  •       Difficulties installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to Jan. 1, 2010, which will not be blocked by default)

We are constantly looking for ways to improve the company’s security both internally and through industry collaboration, in a continual effort to help keep people safe from known and unknown threats. This update to certificate key length requirements is yet another defense-in-depth measure that will help strengthen the Windows ecosystem.

Onward to our September Advance Notification Service announcement for this month. September has historically been a light month for security updates, and this month we have two Important-class bulletins addressing four issues in Visual Studio Team Foundation Server and System Center Configuration Manager. As usual, the bulletin release is scheduled for the second Tuesday of the month, Sept. 11, 2012, at approximately 10 a.m. PDT.

For all the latest information, follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Angela Gunn
Trustworthy Computing.