You might recall that back in June, Microsoft was battling with the Flame malware. The Flame research surfaced a certificate collision attack against Microsoft Windows Update. During that stressful time for Microsoft, they announced a change to the minimum certificate key length that would be permitted on Windows. In short, any key less than 1024 bits would be considered invalid.
Its now September and crunch time is among us to get our minimum key length usage in order. The upcoming changes were discussed at length in June and security advisory 2661254 was released in August. The update was also made available in August via Download Center. Microsoft is planning to deploy this update into the Windows Update stream in October.
Microsoft has a released great article on how to discover certificates in your organization that don’t meet the new minimum requirements. There are 4 methods for discovering these certificates:
- Check certificates and certification paths manually
- Use CAPI2 logging
- Check certificate templates
- Enable logging on computers that have the update installed
All of which are detailed in KB2661254
Here at nCircle, we completed the discovery and testing process back in July and honestly, the processes was pretty painless. Honestly, though, who wants certificates on their network that have key lengths less than 1024 bits anyway? Why not step it up and make your own policy that says nothing less than 2048 (or bigger)?