Important Notice About a Forthcoming Update
If you are currently working with App-V, SCVMM, Hyper-V, SCCM, or any management environment leveraging certificates, it is important to be made aware of a very important update being released next week.
Next week a security fix will be widely distributed which will prevent use of certificates which use weak (less than 1024 bit) RSA keys. Microsoft will issue a critical non-security update (KB 2661254) for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use of cryptographic keys that are less than 1024 bits. You could potentially run into issues as it may cause outages for those who have services that leverage IIS or any other application or service (client side or server side) if those services rely on those weak certificates. We have more information on this update and how it works at the PKI blog. Please refer to the following links:
https://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
https://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx
These articles will give you methods of getting in front of this issue with remediation options. If you are managing updates through SCCM or WSUS, please ensure that you have verified the key strengths of all of your certificates prior to deployment of this update.
UPDATE: 8-11-2012
I have received a lot of questions asking me to be a little more specific with regards to how specific products may or may not be affected. How this may affect your environment will depend on specifics of product usage. The articles from the PKI blog referenced above are very helpful in giving you methods of determining if you are using certificates with key lengths <1024 bits and how to go about remediating the issue. Specific examples regarding product usage revolves around mostly the leveraging of IIS-based services. In addition, other types of scenarios in our world of virtualization and manageability include:
- Using a certificate for RTSPS generated froma web server template with a key length length less than 1024 bits.
- Using certificates for SSP in SCVMM 2008/R2 generated from a web server template with a key length less than 10-24 bits.
- Using Client or Server-side SSL for policy and image distribution in MED-V V1 using certificates with keys less than 1024 bits.
Most of the guidance in recent years always recommended to request certififcates with at least a keylength of 1024, especially, for example, in the guidance for SCCM Native Mode (Config Manager)
The public key infrastructure (PKI) certificates that are required for setting up secure communications in manageability and virtualization products must be created, installed, and managed independently from the products themselves. This means that there are often different IT administrative groups handling this in most organizations. This leads to many variances in deployment for the required certificates and you will need to consult your particular PKI deployment team to assist in assessing how this will affect you.
UPDATE: 8-14-2012
The security advisory is located at https://technet.microsoft.com/security/advisory/2661254.
The KB article is available at https://support.microsoft.com/kb/2661254.
The update is available now to allow organizations to assess the impact of this update and to reissue certificates with larger key sizes, if necessary, before the update is sent out through Windows Update. Previous blogs may have mentioned it being released to Windows Update this month. That is no longer the case. The update is planned to be sent out through Windows Update on October 9, 2012.
Comments
Anonymous
January 01, 2003
This article is meant to provide information regarding the update. While Microsoft recommends using the strongest security means possible, we also advise testing before applying this update in production.Anonymous
August 10, 2012
amadeus is asking all travel agencies not to update.Anonymous
August 14, 2012
Thats because most of the amadeus software is either unsigned / partly signed active X plugins that they expect you to set your security to zero in order to run their poorly written software.