With the new update (KB2661254), Microsoft is started blocking the websites with certificate key length is 1024 or less. With this IE will never let you connect to site at all. All you get is “Click here to close this webpage”.
Fortunately Microsoft explained how to override this security feature in the same KB article (https://support.microsoft.com/en-us/kb/2661254).
- Open Command Prompt with Administrative Privileges (right click CMD.exe and select “Run as administrator”)
- Type certutil -setreg chain\minRSAPubKeyBitLength 512
- Log off and log back in
Here is the resolution by editing the registry key from the KB article:
Allow key lengths of less than 1024 bits by using registry settings
Microsoft does not recommend customers use certificates less than 1024 bits long. Customers may however need a temporary workaround while a longer term solution is developed to replace RSA certificates with a key length of less than 1024 bits length. In these cases, Microsoft is providing the customers the ability to change the way the update functions. Customers configuring these settings are accepting the risk that an attacker may be able to break their certificates and use them to spoof content, perform phishing attacks, or perform Man-in-the-Middle attacks.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
On Windows 8 or Windows Server 2012-based computers that have the update applied, the following registry path and settings can be used to control detection and blocking of RSA certificates with less than 1024 bit key lengths.
There are four main values that control how keys under 1024 bits blocking works. These are as follows: •MinRsaPubKeyBitLength
Each of these values and what they control are discussed in the following sections.
For operating systems starting with Windows Vista and Windows Server 2008, you can use certutil commands to change these registry settings. On Windows XP, Windows Server 2003, and Windows Server 2003 R2, you cannot use certutil commands to change these registry settings. However, you can use Registry Editor, reg command, or reg file.
MinRsaPubKeyBitLength is a DWORD value that defines the minimum allowed RSA key length. By default, this value is not present, and the minimum allowed RSA key length is 1024. You can use certutil to set this value to 512 by running the following command:
certutil -setreg chain\minRSAPubKeyBitLength 512
NoteAll certutil commands shown in this article require local Administrator privileges because they are changing the registry. You can ignore the message that reads “The CertSvc service may have to be restarted for changes to take effect.” That is not required for these commands because they do not affect the certificate service (CertSvc).
You can revert to blocking keys that have a length of less than1024 bits by removing the value. To do this, run the following certutil command:
certutil -delreg chain\MinRsaPubKeyBitLength
The EnableWeakSignatureFlags DWORD value has three potential values: 2, 4, 6, and 8. These settings change the behavior of how the keys under 1024 bits detection and blocking works. The settings are described in the following table:
Decimal value Description
2 When enabled, the root certificate (during chain building) is allowed to have an RSA certificate with a key length of less than 1024 bits. Blocking of RSA certificates lower in the chain (if they have less than 1024 bit keys) is still in effect. The flag enabled when this value is set is as CERT_CHAIN_ENABLE_WEAK_RSA_ROOT_FLAG.
4 Enables logging, but still enforces blocking of RSA certificates with keys less than 1024 bits. When it is enabled, the WeakSignatureLogDir is required. All keys with less than 1024 bit length encountered are copied to the physical WeakSignatureLogDir folder. The flag enabled when this value is set as CERT_CHAIN_ENABLE_WEAK_LOGGING_FLAG.
6 When it is enabled, the root certificate is allowed to have an RSA certificate with a key less than 1024 bits and the WeakSignatureLogDir is required. All keys below the root certificate that have keys of less than 1024 bits are blocked and logged to the folder that is specified as the WeakSignatureLogDir.
8 Enables logging and does not enforce blocking of keys that have a length of less than 1024 bits. When it is enabled, the WeakSignatureLogDir is required. All keys encountered that have a length of less than 1024 bits are copied to the physical WeakSignatureLogDir folder. The flag enabled when this value is set is as CERT_CHAIN_ENABLE_ONLY_WEAK_LOGGING_FLAG.
To enable an RSA root certificate that has a key length of less than 1024 bits, use the following certutil command:
certutil -setreg chain\EnableWeakSignatureFlags 2
To enable logging while still blocking certificates that use a key length of less than 1024 bits, use the following certutil command:
certutil -setreg chain\EnableWeakSignatureFlags 4
To enable logging of only RSA certificates below the root certificate that have a key length of less than 1024 bits, use the following certutil command:
certutil -setreg chain\EnableWeakSignatureFlags 6
To enable logging only and not blocking key lengths of less than 1024 bits, use the following certutil command:
certutil -setreg chain\EnableWeakSignatureFlags 8