none
1024 bit self signed cert RRS feed

  • Question

  • Hi,

    It has been brought to our attention by pen testers that there are a number of certificates that are using 1024bit keys. This has been deemed a risk, and as you know RSA no longer issue 1024bit certs. 

    The certificate that i am interested in or falls at my door is the FIM cert for our SharePoint 2013 sync service.

    Our PKI SME is currently tasked with upgrading all the certs in our domain to 2048 bit certs. I have been asked how we are going to do the FIM cert...

    Good question in deed. 

    As this is a self signed cert, how do i get the FIM sync service to create a 2048bit key cert?

    I had thought about manually creating a domain cert using a custom template, but not sure this will work. 

    Is there a way to force the FIM to create a 2048 bit key certificate?

    Thanks

    Grizzly


    john adams

    Friday, June 23, 2017 8:39 AM

All replies

  • Interesting. I haven't checked FIM 2010 R2, but with a vanilla MIM installation I have a 2048 bit key. I would think you could run a change mode install and reconfigure the Certificate to your own internal PKI\Self-Signed as I suspect it's only used for encryption\Key Exchange and not actual server\certificate validation. 

    https://technet.microsoft.com/en-us/library/ff512686(v=ws.10).aspx

    I thought I recalled issues with some people not using the self-signed certificate, but maybe not.

    Friday, June 23, 2017 5:45 PM