Blocking RSA Keys less than 1024 bits (part 2)

Kurt L Hudson

In August 2012, Microsoft will issue a critical non-security update for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use of cryptographic keys that are less than 1024 bits. This was first announced in the blog titled RSA keys under 1024 bits are blocked. This blog post is a reminder that the update is coming and provides a bit more information on how to control the update when deployed.
Note: The modification (opt-out settings) discussed in this article will apply throughout the operating system. You cannot configure these modifications to be applicable to a specific application, custom certificate, or scenario.
You can modify a registry setting using the certutil command to modify the size of the keys that are blocked. For example, if you wanted to allow 512 bit keys, but block all keys less than 512 bits, you could run the following command:

Certutil -setreg chainminRSAPubKeyBitLength 512
Note: All certutil commands shown in this article require local Administrator privileges because they are modifiying the registry.

If only the root certificate in a chain is 512 bits, but all the rest of the keys below are 1024 bits or higher, you could run the following command to indicate that you will allow a 512 bit root certificate, but want to block all keys less than 1024 bits below the root certificate.

Certutil -setreg chainEnableWeakSignatureFlags 2
Note: The above command also works with self-signed certificates with RSA keys less than 1024.

If you have Authenticode signatures that were signed with keys less than 1024 bits prior to January 1, 2010, 12:00:00 AM UTC/GMT, they will not be blocked by default. If necessary, you can use the WeakRsaPubKeyTime setting to allow for the configuration of the date and time for which to consider older signatures valid. If you have reason to set a different date and time for the WeakRsaPubKeyTime, you can use certutil to set a different date and time. For example, if you wanted to set the date to August 29, 2010, you could use the following command:

certutil -setreg chainWeakRsaPubKeyTime @08/29/2010

If you have a need to set a specific time, such as 6:00 PM UTC/GMT on July 4, 2011, then add the number of days and hours in the format +[dd:hh] to the command. Since 6:00 PM is 18 hours after midnight on July 4, 2011, you would run the following command:

certutil -setreg chainWeakRsaPubKeyTime @01/15/2011+00:1

When the update is released in August, there will be another post with additional information related to modifying the key blocking behavior, logging issues, and a link for discovering and troubleshooting resulting issues. Please, review the original blog post RSA keys under 1024 bits are blocked to learn how to detect certificates that are not at least 1024 bits in use in your environment.

Source: Microsoft Technet

Shopping Cart
Scroll to Top