Microsoft to ban keys less than 1024-bits

June 15, 2012 by Bruce Morton     No Comments

For those of you who do not maintain the size of your keys for digital certificates, you’re about to have some problems. Microsoft is not a proponent of small-sized digital keys. Their Windows Root Certificate Program does not allow CAs to issue certificates with keys less than 1024-bits RSA and deprecates keys that are less than 2048-bits RSA. This is in line with the NIST recommendations to move to a minimum of 2048-bit keys by January 1, 2014, and also with the CA/B Forum Baseline Requirements with the same specification.

In August 2012, Microsoft will introduce a new patch to the following operating systems: Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. The update will block the usage of cryptographic keys that are less than 1024 bits. The result will introduce problems when going to an SSL site, enrolling a certificate, creating or consuming S/MIME email messages, installing Active X controls, or installing software where a small cryptographic key has been used.

If you only have publicly-trusted certificates from reputable vendors, there’s nothing to worry about. Public CAs, such as Entrust, do not issue certificates with small keys and have plans in place to move to a minimum of 2048-bit keys by January 1, 2014.

However, if you are like most organizations we talk to, you likely have certificates signed by various CAs. Some users may have problems, come August, if their certificates have been issued from an internal CA that does not follow the common certificate policy rules.

Entrust does offer a solution called Discovery, which helps you inventory all your digital certificates, from any vendor or source, and set policy regarding key size. With Discovery, you are alerted to certificates with key sizes that are outside your policy.


Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

Add to the Conversation