Microsoft's minimum certificate key length update may cause technical issues

Microsoft will release an automatic update for Windows on October 9, 2012 that is making a minimum certificate key length of 1024 bits mandatory for digital certificates. Information about the update were first published on August 14 in Security Advisory 2661254 and a related Microsoft Knowledge Base article. The update is available for all supported client and server-based versions of the Windows operating system. Once applied it will block cryptographic keys that are less than 1024 bits long which can have a number of consequences for services and users.

Windows operating system users for instance may notice that they can't digitally sign or encrypt emails in Outlook anymore as this is automatically blocked if an RSA certificate with less than 1024 bits is used.  Internet Explorer users may notice error messages when they try to access websites that use SSL certificates with keys that are less than 1024 bits. The consequence is that Internet Explorer won't allow access to the site.

A Microsoft blog post highlights additional issues that customers may encounter after applying the update:

• Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
• Difficulties installing Active X controls that were signed with less than 1024 bit signatures
• Difficulties installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to Jan. 1, 2010, which will not be blocked by default)
• CA service (certsvc) cannot start when the CA is using an RSA certificate that has a key length of less than 1024 bits.
• A certification authority (CA) cannot issue RSA certificates that have a key length of less than 1024 bits.
• Security warnings of "Unknown Publisher" are reported, but installation can continue in the following cases:
  • Authenticode signatures that were time stamped on January 1, 2010 or on a later date, and that are signed with a certificate by using an RSA certificate that has a key length of less than 1024 bits are encountered.
  • Signed installers signed by using an RSA certificate that has a key length of less than 1024 bits.
  • ActiveX controls signed by using an RSA certificate that has a key length of less than 1024 bits. Active X controls already installed before you install this update will not be affected.

Services that use certificates with a key length of less than 1024 bits need to re-issue the certificate with at least a 1024 bit key length. Microsoft notes that this is the absolute minimum, and that companies should consider selecting a secure key length of 2048 or better.

Devices running Windows 8 or Windows Server 2012 are not affected by the update as they already include the functionality that Microsoft will introduce on October 9 in the other Windows versions. (via Information Week, thanks Ilev for the tip)