locked
RSA keys under 1024 bits have been blocked RRS feed

  • Question

  • After Applying this update http://support.microsoft.com/kb/2661254 all the websites which were using RSA keys under 1024 bits have been blocked. Please help me to solve this problem!

    I am using Windows XP SP3 at client side along with IE8.

     
    • Edited by Diadem 85 Tuesday, March 26, 2013 5:17 AM
    Tuesday, March 26, 2013 5:16 AM

Answers

  • How can i configure the option of "allow weak root certs"  knowing that the above menioned KB is already deployed on the systems  can  please help me out?

    the same KB article http://support.microsoft.com/kb/2661254 provides the necessary steps to allow weak certs.
    In the "Resolution" section, a paragraph titled "Allow key lengths of less than 1024 bits by using registry settings".
    - You can set the registry key in every client pc (use a script or GPP)
    - You can use certutil and it will set the registry key (use a script or ConfigMgr package/program/app or whatever)

    I have used these steps to deploy the registry keys for "EnableWeakSignatureFlags = 4" & "WeakSignatureLogDir = c:\weakcerts", as a test.
    IF you want to allow weak root certs, then you would set "EnableWeakSignatureFlags = 2"

    Although not clearly stated in the KB article, logging weak certs actually causes a copy of the weak cert to be copied into the LogDir, so each client pc ends up collecting certs, which you can then identify and analyse, to arrange for those to be upgraded/replaced with stronger certs.
    Or, at least, you can identify where your problems will be, and assess the risk.
    The main problem is that allowing weak certs is a system-wide setting on the client, so if you allow any weak certs, you allow *ALL* weak certs.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Wednesday, March 27, 2013 8:18 PM
    • Marked as answer by Niki Han Wednesday, April 3, 2013 8:58 AM
    Wednesday, March 27, 2013 8:15 PM

All replies

  • Hi,

    see the downloads under "Resolution" for your XP version.

    Regards.


    Rob^_^

    Tuesday, March 26, 2013 5:52 AM
  • Ya kinda want to rekey those certs.  1024 bits is kinda not secure.
    Tuesday, March 26, 2013 6:26 AM
  • for smooth running of applications it is mandatory that we keep RSA keys to 512 .....  so i am interesting in solution of it.
    Tuesday, March 26, 2013 6:35 AM
  • Hi, there are various options available to you, and they are described in the KB article.
    The recommended solution, is to generate new, stronger certificates and you should really check the complete certificate chain to confirm all certs in the chain are stronger than 1024.

    You could use one of the other options, such as "allow weak root certs" or/and "allow weak certs" - but this means that you accept this significant risk and don't want to know about the problem you really have ?


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Tuesday, March 26, 2013 8:28 AM
  • How can i configure the option of "allow weak root certs"  knowing that the above menioned KB is already deployed on the systems  can  please help me out?

    Wednesday, March 27, 2013 12:55 PM
  • How can i configure the option of "allow weak root certs"  knowing that the above menioned KB is already deployed on the systems  can  please help me out?

    the same KB article http://support.microsoft.com/kb/2661254 provides the necessary steps to allow weak certs.
    In the "Resolution" section, a paragraph titled "Allow key lengths of less than 1024 bits by using registry settings".
    - You can set the registry key in every client pc (use a script or GPP)
    - You can use certutil and it will set the registry key (use a script or ConfigMgr package/program/app or whatever)

    I have used these steps to deploy the registry keys for "EnableWeakSignatureFlags = 4" & "WeakSignatureLogDir = c:\weakcerts", as a test.
    IF you want to allow weak root certs, then you would set "EnableWeakSignatureFlags = 2"

    Although not clearly stated in the KB article, logging weak certs actually causes a copy of the weak cert to be copied into the LogDir, so each client pc ends up collecting certs, which you can then identify and analyse, to arrange for those to be upgraded/replaced with stronger certs.
    Or, at least, you can identify where your problems will be, and assess the risk.
    The main problem is that allowing weak certs is a system-wide setting on the client, so if you allow any weak certs, you allow *ALL* weak certs.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Wednesday, March 27, 2013 8:18 PM
    • Marked as answer by Niki Han Wednesday, April 3, 2013 8:58 AM
    Wednesday, March 27, 2013 8:15 PM