Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Microsoft Security Advisory: Update for minimum certificate key length


View products that this article applies to.

INTRODUCTION

Microsoft has released a Microsoft security advisory for IT professionals. This advisory announces that the use of RSA certificates that have keys that are less than 1024 bits long will be blocked. To view the security advisory, go to the following Microsoft website:
To reduce the risk of unauthorized exposure of sensitive information, Microsoft has released a nonsecurity update (KB 2661254) for all supported versions of Microsoft Windows. This update will block cryptographic keys that are less than 1024 bits long. This update does not apply to Windows 8 Release Preview or Windows Server 2012 Release Candidate because these operating systems already include the functionality to block the use of weak RSA keys that are less than 1024 bits long.

↑ Back to the top


More Information

The strength of public-key-based cryptographic algorithms is determined by the time that it takes to derive the private key by using brute-force methods. The algorithm is considered to be strong enough when the time that it takes to derive private key is prohibitive enough by using the computing power at disposal. The threat landscape continues to evolve. Therefore, Microsoft is further hardening the criteria for the RSA algorithm with key lengths that are less than 1024 bits long.

After the update is applied, only certificate chains that are built by using the CertGetCertificateChain function are affected. The CryptoAPI builds a certificate trust chain and validates that chain by using time validity, certificate revocation, and certificate policies (such as intended purposes). The update implements an additional check to make sure that no certificate in the chain has an RSA key length of less than 1024 bits.


Update replacement information

This update replaces the following update:
2677070 An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

Known issues with this security update

After the update is applied:
  • A restart is required.
  • A certification authority (CA) cannot issue RSA certificates that have a key length of less than 1024 bits.
  • CA service (certsvc) cannot start when the CA is using an RSA certificate that has a key length of less than 1024 bits.
  • Internet Explorer will not allow access to a website that is secured by using an RSA certificate that has a key length of less than 1024 bits.
  • Outlook 2010 cannot be used to encrypt email if it is using an RSA certificate that has a key length of less than 1024 bits. However, email that has already been encrypted by using an RSA certificate with key length that is less than 1024 bits can be decrypted after the update is installed.
  • Outlook 2010 cannot be used to digitally sign email if it is using an RSA certificate that has a key length that is less than 1024 bits.
  • When email is received in Outlook 2010 that has a digital signature or is encrypted by using an RSA certificate that has a key length of less than 1024 bits, the user receives an error that states that the certificate is untrusted. The user can still view the encrypted or signed email.
  • Outlook 2010 cannot connect to a Microsoft Exchange server that is using an RSA certificate that has a key length of less than 1024 bits for SSL/TLS. The following error is displayed: "Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. The security certificate is not valid. The site should not be trusted."
  • Security warnings of "Unknown Publisher" are reported, but installation can continue in the following cases:
    • Authenticode signatures that were time stamped on January 1, 2010 or on a later date, and that are signed with a certificate by using an RSA certificate that has a key length of less than 1024 bits are encountered.
    • Signed installers signed by using an RSA certificate that has a key length of less than 1024 bits.
    • ActiveX controls signed by using an RSA certificate that has a key length of less than 1024 bits. Active X controls already installed before you install this update will not be affected.
  • System Center HP-UX PA-RISC computers that use an RSA certificate with a 512 bit key length will generate heartbeat alerts and all Operations Manager monitoring of the computers will fail. An "SSL Certificate Error" will also be generated with the description "signed certificate verification." Also, Operations Manager will not discover new HP-UX PA-RISC computers because of a "signed certificate verification" error. System Center customers who have HP-UX PA-RISC computers are encouraged to reissue RSA certificates with key lengths of at least 1024 bits. For more information, go to the following TechNet webpage:
Note EFS encryption is not affected by this update.

Discover RSA certificates with key lengths of less than 1024 bits

There are four main methods for discovering if RSA certificates with keys less than 1024 bits are in use:
  • Check certificates and certification paths manually
  • Use CAPI2 logging
  • Check certificate templates
  • Enable logging on computers that have the update installed

Check certificates and certification paths manually

You can check certificates manually by opening them and viewing their type, key length, and certification path. You can do this by viewing (usually by double-clicking) any certificate that was issued internally. On the Certification Path tab, click View Certificate for each certificate in the chain to make sure that all RSA certificates are using at least 1024 bit key lengths.

For example, the certificate in the following figure was issued to a domain controller (2003DC.adatum.com) from an Enterprise Root CA named AdatumRootCA. You can select the AdatumRootCA certificate on the Certification Path tab.

Certification Path tab

To see the AdatumRootCA certificate, click View Certificate. On the Details pane, select Public key to see the key size, as shown in the following figure.

View Certificate

The RSA certificate for AdatumRootCA in this example is 2048 bits.

Use CAPI2 logging

On computers that are running Windows Vista or Windows Server 2008 or later versions of Windows, you can use CAPI2 logging to help identify keys that have a length of less than 1024 bits. You can then allow the computers to perform their usual operations and later check the log to help identify keys that have a length of less than 1024 bits. Then, you can then use that information to track down the sources of the certificates and make the necessary updates.

To do this, you must first enable verbose diagnostic logging. To enable verbose mode logging, follow these steps:

1. Open Registry Editor (Regedit.exe).

2. Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32


3. Add a DWORD (32-bit) value DiagLevel with value of 0x00000005.

4. Add a QWORD (64-bit) value DiagMatchAnyMask with value of 0x00ffffff.

DiagMatchAnyMask

After you do this, you can then enable CAPI2 operational logging in the Event Viewer. The CAPI2 Operational log is located under Applications and Service Logs, Microsoft, Windows, and CAPI2 in Event Viewer. To enable logging, right-click the Operational log, click Enable Log, and then click Filter Current Log. Click the XML tab, and then click to select the Edit query manually check box.
Enable Log

After you have collected the log, you can use the following filter to reduce the number of entries that you have to search throughto find certificate operations with keys that have a length of less than 1024 bits. The following filter looks for keys of 512 bits.

<QueryList>

<Query Id="0" Path="Microsoft-Windows-CAPI2/Operational">

<Select Path="Microsoft-Windows-CAPI2/Operational">Event[UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyLength='512']]]]] and UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyName='RSA']]]]]]</Select>

</Query>

</QueryList>

Filter current log

You can also query for multiple key lengths with a single query. For example, the following filter queries for 384-bit keys and 512-bit keys.

<QueryList>

<Query Id="0" Path="Microsoft-Windows-CAPI2/Operational">

<Select Path="Microsoft-Windows-CAPI2/Operational">Event[UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyLength='384']]]]] and UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyName='RSA']]]]]] or Event[UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyLength='512']]]]] and UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyName='RSA']]]]]]</Select>

</Query>

</QueryList>

Check certificate templates

You can run the following query on your Certification Authorities (CAs) to discover certificate templates that use keys of less than 1024 bits:

certutil -dstemplate | findstr "[ msPKI-Minimal-Key-Size" | findstr /v "1024 2048 4096"

Note You should run the command in each forest in your organization.

If you run this query, templates that use keys that are smaller than 1024 bits will be shown with their key size. The following figure shows that two of the built-in templates, SmartcardLogon and SmartcardUser, have default key lengths that have minimum key sizes of 512 bits. You may also discover other templates that were duplicated with minimum key sizes of less than 1024 bits.

For each template that you discover that allow less than 1024 bit keys, you should determine whether it is possible to issue certificates as shown in the Certificate Templates section of the Certification Authority console.

Certificate Templates section

Enable logging on computers that have the update installed

You can use registry settings to enable computers that have the update applied to locate RSA certificates with key lengths of less than 1024 bits. The option for implementing logging is described in the "Resolutions" section because it is closely coupled with the registry settings that can be used to allow key lengths of less than 1024 bits. See the "Allow key lengths of less than 1024 bits by using registry settings" section later in this article for more information about how to enable logging.

↑ Back to the top


Resolutions

The primary resolution for any issue that is related to blocking of a certificate that has a key length of less than 1024 bits is to implement a larger (1024 bit key length or larger) certificate. We recommend that users implement certificates that have a key length of at least 2048 bits.

Increase the key size for certificate issued through certificate autoenrollment

For templates that issued RSA certificates with key lengths of less than 1024 bits, you should consider increasing the minimum key size to a setting of at least 1024 bits. This assumes that the devices to which these certificates are issued support a larger key size.

After you increase the minimum key size, use the Reenroll All Certificate Holders option in the Certificate Templates Console to cause the client computers to Reenroll and request a larger key size.

Smartcard Logon

If you have issued certificates by using the built-in Smartcard Logon or Smartcard User templates, you will be unable to adjust the minimum key size of the template directly. Instead, you will have to duplicate the template, increase the key size on the duplicated template, and then supersede the original template with the duplicated template.

Updated Smartcard Logon Properties

After you supersede a template, use the Reenroll All Certificate Holders option to cause the client computers to Reenroll and request a larger key size.

Reenroll All Certificate Holders

Allow key lengths of less than 1024 bits by using registry settings

Microsoft does not recommend customers use certificates less than 1024 bits long. Customers may however need a temporary workaround while a longer term solution is developed to replace RSA certificates with a key length of less than 1024 bits length. In these cases, Microsoft is providing the customers the ability to change the way the update functions. Customers configuring these settings are accepting the risk that an attacker may be able to break their certificates and use them to spoof content, perform phishing attacks, or perform Man-in-the-Middle attacks.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
On Windows 8 or Windows Server 2012-based computers that have the update applied, the following registry path and settings can be used to control detection and blocking of RSA certificates with less than 1024 bit key lengths.

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDLLCreateCertificateChainEngine\Config

There are four main values that control how keys under 1024 bits blocking works. These are as follows:
  • MinRsaPubKeyBitLength
  • EnableWeakSignatureFlags
  • WeakSignatureLogDir
  • WeakRsaPubKeyTime
Each of these values and what they control are discussed in the following sections.

For operating systems starting with Windows Vista and Windows Server 2008, you can use certutil commands to change these registry settings. On Windows XP, Windows Server 2003, and Windows Server 2003 R2, you cannot use certutil commands to change these registry settings. However, you can use Registry Editor, reg command, or reg file.

MinRsaPubKeyBitLength

MinRsaPubKeyBitLength is a DWORD value that defines the minimum allowed RSA key length. By default, this value is not present, and the minimum allowed RSA key length is 1024. You can use certutil to set this value to 512 by running the following command:

certutil -setreg chain\minRSAPubKeyBitLength 512

NoteAll certutil commands shown in this article require local Administrator privileges because they are changing the registry. You can ignore the message that reads "The CertSvc service may have to be restarted for changes to take effect." That is not required for these commands because they do not affect the certificate service (CertSvc).

You can revert to blocking keys that have a length of less than1024 bits by removing the value. To do this, run the following certutil command:

certutil -delreg chain\MinRsaPubKeyBitLength

EnableWeakSignatureFlags

The EnableWeakSignatureFlags DWORD value has three potential values: 2, 4, 6, and 8. These settings change the behavior of how the keys under 1024 bits detection and blocking works. The settings are described in the following table:
Decimal valueDescription
2When enabled, the root certificate (during chain building) is allowed to have an RSA certificate with a key length of less than 1024 bits. Blocking of RSA certificates lower in the chain (if they have less than 1024 bit keys) is still in effect. The flag enabled when this value is set is as CERT_CHAIN_ENABLE_WEAK_RSA_ROOT_FLAG.
4Enables logging, but still enforces blocking of RSA certificates with keys less than 1024 bits. When it is enabled, the WeakSignatureLogDir is required. All keys with less than 1024 bit length encountered are copied to the physical WeakSignatureLogDir folder. The flag enabled when this value is set as CERT_CHAIN_ENABLE_WEAK_LOGGING_FLAG.
6When it is enabled, the root certificate is allowed to have an RSA certificate with a key less than 1024 bits and the WeakSignatureLogDir is required. All keys below the root certificate that have keys of less than 1024 bits are blocked and logged to the folder that is specified as the WeakSignatureLogDir.
8Enables logging and does not enforce blocking of keys that have a length of less than 1024 bits. When it is enabled, the WeakSignatureLogDir is required. All keys encountered that have a length of less than 1024 bits are copied to the physical WeakSignatureLogDir folder. The flag enabled when this value is set is as CERT_CHAIN_ENABLE_ONLY_WEAK_LOGGING_FLAG.

Examples

To enable an RSA root certificate that has a key length of less than 1024 bits, use the following certutil command:

certutil -setreg chain\EnableWeakSignatureFlags 2

To enable logging while still blocking certificates that use a key length of less than 1024 bits, use the following certutil command:

certutil -setreg chain\EnableWeakSignatureFlags 4

To enable logging of only RSA certificates below the root certificate that have a key length of less than 1024 bits, use the following certutil command:

certutil -setreg chain\EnableWeakSignatureFlags 6

To enable logging only and not blocking key lengths of less than 1024 bits, use the following certutil command:

certutil -setreg chain\EnableWeakSignatureFlags 8

Note When you enable logging (decimal setting 4, 6, or 8), you must also configure a log directory as described in the next section.

WeakSignatureLogDir

When defined, certificates that have a key length of less than 1024 bits are written to the specified folder. For example, C:\Under1024KeyLog could be the data for this value. This option is required when EnableWeakSignatureFlags is set to 4 or 8. Make sure that you configure the security on the specified folder so that both Authenticated Users and the local group All Application Packages have modify access. To set this value for C:\Under1024KeyLog, you can use the following certutil command:

Certutil -setreg chain\WeakSignatureLogDir "c:\Under1024KeyLog"

You can also configure the WeakSignatureLogDir to write to a network shared folder. Make sure that you have the appropriate permissions configured for the network location so that all configured users can write to the shared folder. The following command is an example of configuring the WeakSignatureLogDir to write to a folder named Keys that is in a network shared folder named RSA on Server1:

Certutil -setreg chain\WeakSignatureLogDir "\\server1\rsa\keys"

WeakRsaPubKeyTime

The WeakRsaPubKeyTime is an 8 byte REG_BINARY value that contains a Windows FILETIME data type stored as UTC/GMT. This value is available primarily to reduce potential problems by blocking keys that have a length of less than 1024 bits for Authenticode signatures. Certificates that are used to sign code before the configured date and time are not checked for keys that have a length of less than 1024 bits. By default this registry value is not present and is treated as early morning January 1, 2010 at midnight UTC/GMT.

NoteThis setting is only applicable to when a certificate was used to Authenticode sign a time stamped file. If the code is not time stamped, then the current time is used and the WeakRsaPubKeyTime setting is not used.

The WeakRsaPubKeyTime setting allows for the configuration of the date for which to consider older signatures valid. If you have reason to set a different date and time for the WeakRsaPubKeyTime, you will can use certutil to set a different date. For example, if you wanted to set the date to August 29, 2010, you could use the following command:

certutil -setreg chain\WeakRsaPubKeyTime @08/29/2010

If you must set a specific time, such as 6:00 PM on July 4, 2011, then add the number of days and hours in the format +[dd:hh] to the command. Because 6:00 PM is 18 hours after midnight on July 4, 2011, you would run the following command:

certutil -setreg chain\WeakRsaPubKeyTime @01/15/2011+00:18

Configuring Certificates on Internet Information Services (IIS)

If you are an IIS customer who has to issue new certificates that are 1024 bits or longer, see the following articles:

↑ Back to the top


Resolution

The following files are available for download from the Microsoft Download Center:


For all supported x86-based versions of Windows XP

Download Download the package now.

For all supported x64-based versions of Windows XP Professional x64 edition

Download Download the package now.

For all supported x86-based versions of Windows Server 2003

Download Download the package now.

For all supported x64-based versions of Windows Server 2003

Download Download the package now.

For all supported IA-64-based versions of Windows Server 2003

Download Download the package now.

For all supported x86-based versions of Windows Vista

Download Download the package now.

For all supported x64-based versions of Windows Vista

Download Download the package now.

For all supported x86-based versions Windows Server 2008

Download Download the package now.

For all supported x64-based versions of Windows Server 2008

Download Download the package now.

For all supported IA-64-based versions of Windows Server 2008

Download Download the package now.

For all supported x86-based versions of Windows 7

Download Download the package now.

For all supported x64-based versions of Windows 7

Download Download the package now.

For all supported x64-based versions of Windows Server 2008 R2

Download Download the package now.

For all supported IA-64-based versions of Windows Server 2008 R2

Download Download the package now.

For all supported x86-based versions of Windows Embedded Standard 7

Download Download the package now.

For all supported x64-based versions of Windows Embedded Standard 7

Download Download the package now.

Release Date: August 14, 2012

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

↑ Back to the top


FILE INFORMATION

For a list of files that are provided within these packages, click the following link:

↑ Back to the top


Applies to:

↑ Back to the top

Keywords: kbsecadvisory, atdownload, kbbug, kbexpertiseinter, kbfix, kblangall, kbmustloc, kbsecreview, kbsecurity, kbsecvulnerability, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 2661254
Revision : 3
Created on : 4/13/2020
Published on : 4/13/2020
Exists online : False
Views : 5734