Microsoft Security Advisory (2661254) - Minimum Certificate Key Length

Expert Member
  • Total Posts : 305
  • Scores: 196
  • Reward points: 35460
  • Joined: 2005/03/08 16:49:38
  • Status: offline
2012/09/10 15:07:12 (permalink)

Microsoft Security Advisory (2661254) - Minimum Certificate Key Length

Back in August Microsoft issued an Advisory about an update they had released that ensured that RSA keys were only accepted if they were 1024 bits in length or higher.
Details from Microsoft below:

Microsoft is announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length. The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
What does the KB2661254 update do?
On all supported releases of Microsoft Windows, the KB2661254 update requires that certificates with RSA keys use 1024 bit key length or greater. Microsoft products or third-party products that call into the CertGetCertificateChain function will no longer trust certificates with RSA keys less than 1024 bit key lengths. This function builds a certificate chain context starting from the end certificate going back, if possible, to a trusted root certificate. When the chain is validated, every certificate in the chain is inspected to ensure that it has a RSA key length of at least 1024 bits in length. If any certificate in the chain has a RSA key less than 1024 bits in length, the end certificate will not be trusted.
What if I find a certificate with a RSA key less than 1024 bits in length?
Customers that identify any certificates that utilize RSA key lengths less than 1024 bits in their environments will need to request longer certificates from their certification authority. Customers that manage their own PKI environments will need to create new longer key pairs and issue new certificates from these new keys. Customers should evaluate using a sufficient key length to match their requirements for data encryption which may exceed the minimum required by this update.

When the update was released it was just an optional update that you could install.  As of October's "Patch Tuesday" this will change and the update will be one of the patches that MS release and also make available via Windows Update.
As with any update of this nature Microsoft are recommending that Enterprise customers download the update sooner rather than later and test out the update rather than leave it until October.
There are a number of suggested actions that you can take if you look at the MS Advisory, link below.  As this month is going to be a quiet one for Patches it gives you time to do some testing of this update before next month.
Microsoft Advisory:
Further Information:

1 Reply Related Threads

    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 100
    • Joined: 2012/09/19 03:21:04
    • Status: offline
    Re:Microsoft Security Advisory (2661254) - Minimum Certificate Key Length 2012/09/19 04:11:07 (permalink)
    Microsoft, Google, and other admired companies are trying to provide a vigorous security against hackers. Such footprints safeguard the future websites. The time has come when everyone desires a correct value for his money and Microsoft’s step assures that object. If you provide a strong security to online business, it will upturn the goodwill of the enterprise as well revenue. 
    Further Information: 
    Jump to:
    © 2018 APG vNext Commercial Version 5.5