none
Find certificate key length on all servers

    Question

  • Hi There

    I have just taken on a client with ageing infrastructure and a whole bunch of undocumented website and web services.

    I need an easy way to find all certificates that are using 1024 bit length before they are no longer supported on the 1st October 2013.

    Is there a batch script I could use to list out all the certificates that are using 1024 encryption?

    Thanks

    • Moved by Bill_Stewart Tuesday, December 31, 2013 8:21 PM Abandoned thread
    Thursday, September 26, 2013 10:31 PM

All replies

  • Where are these certificates stored. 

    I PowerShell you can enumerate a users certs and the machine certs.  There is no way to run a program and get all certs in use everywhere.

    Does you customer have a cert server?  What applications are no longer going to support 1024 bit encryption.  Who is telling you that this is true?


    ¯\_(ツ)_/¯

    Thursday, September 26, 2013 11:02 PM
  • Is this what you are referring to?

    http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

    Read it carefully as it describes how to transition.

    Call the vendor for you certs and have them tell you how to re-order the new certs.  THey will also be able t give you a complete list of all certs delivered.

    If you have Cert server then just run the reports.

    Only web servers need to be updated.  I suggest that all of your web servers need updating.  Just go to the web servers and re-order the certs.


    ¯\_(ツ)_/¯

    Thursday, September 26, 2013 11:06 PM
  • The certs are all over the place and the site is not documented at all so I really need to cover all servers in this audit. I could run a script on all servers but it would need to be a batch script as there is a mix of 2000, 2003 and 2008 servers on the site

    you can read about the 1st of October 2013 for 1024 bit encryption deadline here http://www.thawte.com/resources/2048-bit-compliance/

    Thursday, September 26, 2013 11:10 PM
  • you can read about the 1st of October 2013 for 1024 bit encryption deadline here http://www.thawte.com/resources/2048-bit-compliance/


    For web servers and browsers.

    ¯\_(ツ)_/¯

    Thursday, September 26, 2013 11:47 PM
  • Certs can be explored using the Net framework X509 cert store class.  Look in repository.  It can work remotely against all servers.

    ¯\_(ツ)_/¯

    Thursday, September 26, 2013 11:48 PM