In August 2012, Microsoft published an optional update KB2661254
titled "Update For Minimum Certificate Key Length". Rereleased in October as recommended, Windows Automatic Updates applied it to all systems with the following options set:
The minimum SSL certificate key length was increased from 512 bits to 1024 bits. The minimum key length cannot be bypassed using IE's "Continue to this website[...]" option despite the message being displayed. Many self-signed SSL certificates created with openssl's default modulus are now effectively Internet Explorer incompatible.
Available workarounds include uninstalling KB2661254 and generating new server SSL certificates. When generating new private keys, use a 2048 bit modulus. Today's 1024 bit acceptable minimum key, will eventually be vulnerable too. And while 4096 bit keys are an option, many certificate authorities will not sign those requests.
The minimum SSL certificate key length was increased from 512 bits to 1024 bits. The minimum key length cannot be bypassed using IE's "Continue to this website[...]" option despite the message being displayed. Many self-signed SSL certificates created with openssl's default modulus are now effectively Internet Explorer incompatible.
Available workarounds include uninstalling KB2661254 and generating new server SSL certificates. When generating new private keys, use a 2048 bit modulus. Today's 1024 bit acceptable minimum key, will eventually be vulnerable too. And while 4096 bit keys are an option, many certificate authorities will not sign those requests.
Comments