on the 9th october MS will block access to SSL sites that use certificates with less than 1024bit keys.
I run lots of SBS 2008 and 2011 servers that use the built in tools to create self signed SSL certs for RWW and OWA.
Here:-
I’m able to buy UC certificates still, that are for Exchange 2007 / 2010 servers etc, yet they are still 128 / 256 bit.
So, my quandry, come October 9th, what kind of certificates do I need to have in place so that RWW / OWA and Outlook over HTTP still function?
You have just been replied and helped by Comodo’s CEO. How about that?
You can do the same exact procedure you followed the first time you installed your current certificate. Just make sure to select 2048 for your RSA key size.
In the "Cryptographic Service Provider Properties" window, Leave Cryptographic Service provider Default (Microsoft RSA SChannel Cryptographic Provider) Change the Bit Length to (2048) then Click Next
Thanks to Comodo unlimited re-issuance policy, you can obtain your new certificate absolutely for FREE.
Note the actual MS advisory says it will reject “less than 1024 bit” keys, meaning older certificates at exactly that length are still fine by Microsoft’s standard.
Even Windows 2003 made you go out of your way to create a certificate smaller than this, I suspect very few businesses will be impacted. Those that did, made deliberate decisions to lower security.
I know that it was a long time ago I had to start remembering to create our CSRs at 2048 bit - because Comodo would reject attempts to create certificates from 1024 keys, in being more proactive than Microsoft or other vendors about requesting even longer keys.
I ordered the UCC and it installed without a hitch. The details in the browser tell me the RSA key is 2046 bit, however, I wasn’t asked to specify a length while applying for the cert, so assume that you guys have set the default values now to be 2046 rather than allowing the user to select something less.
I don’t believe it is - Comodo chooses the length for its own keys (which is currently 2048 bit), but they can only sign the keys a buyer provides.
As I mentioned earlier, they will refuse to sign overly small keys in the interests of your own security, but they can’t make them bigger for you.
Since you mentioned a UCC cert, I’ll assume you generated it for Exchange. Refer here:
It states:
The KeySize parameter specifies the size (in bits) of the RSA public key associated with the certificate that you’re creating.
Acceptable values are 4096, 2048, and 1024. The default value is 2048.
This is contrary to a key generated in IIS which may default to 1024 bits, where you will need to raise this number manually.
