Microsoft recently announced that Windows will no longer support TLS server certificates with RSA encryption keys shorter than 2048 bits. The move is intended to bolster Windows security and promote secure digital interactions.
The RSA (Rivest–Shamir–Adleman) algorithm is widely used across all industries, including banking, e-commerce, and telecommunications sectors for server authentication and communication encryption. Operating on prime-number factorization, the RSA algorithm is highly complex and difficult to break. However, cryptography advancements and the rise of quantum computing have rendered the 1024-bit RSA keys vulnerable to cyberattacks. Continuing to use 1024-bit RSA keys for encryption increases the risk of exposing sensitive data to eavesdropping, decryption, and data breaches.
Despite global regulatory bodies disapproving the use of 1024-bit keys since 2013, several organizations continue to use these keys, exposing their systems to potential cyberattacks. Windows ceasing support for 1024-bit RSA keys now serves as a wake-up call for organizations to pull the plug on outdated, high-risk encryption methods and strictly adhere to the standards recommended by regulatory bodies.
What Next?
While Microsoft is yet to set a deadline for deprecation, we can expect that the support for older encryption keys will be discontinued in a phased manner. Nonetheless, Microsoft has encouraged Windows users to audit their certificate inventory for 1024-bit RSA keys and develop a plan to upgrade them to 2048-bits or higher as soon as possible. Once the changes are effective, Windows will only validate 2048-bit RSA certificates and will distrust certificates that use shorter RSA keys.
It is important to note here that Public CAs ended issuing certificates with 1024-bit RSA keys in 2013, following the CA/Browser Forum directive. So Microsoft’s deprecation largely impacts customers who are using private trust CAs to issue private trust certificates.
Will There Be Any Challenges in Migrating to 2048-Bit RSA Keys?
While migrating to 2048-bit RSA keys is sure to strengthen encryption and digital security, it could present a few challenges for organizations with an ad-hoc and manual approach to certificate lifecycle management.
Enterprises typically have thousands, if not millions, of certificates distributed across their environments. Looking through spreadsheets and databases to identify certificates employing 1024-bit RSA keys could be an arduous task akin to finding a needle in a haystack. Once the certificates are identified, each certificate will have to be manually replaced. This, yet again, is a daunting task involving multiple steps – revoking the old certificate, obtaining approvals for the new certificate, requesting or reissuing a new certificate, provisioning the new certificate to the relevant device, and finally binding the certificate to the right application or endpoint. Such ad-hoc, manual processes can make migrations at scale a nightmare for PKI teams.
Crypto-Agility Is Crucial for Swift and Seamless Cryptography Enhancements
Cryptography upgrades or migrations can be taxing, taking a considerable amount of time, resources, and budget, particularly for organizations with large infrastructures and a high volume of certificates. Without meticulous planning, these upgrades can span months, leaving systems vulnerable for extended periods. The longer it takes to identify and replace vulnerable certificates, the greater the risk of exposure. Also, in the case of Microsoft’s deprecation, if certificates are not upgraded to include 2048-bit (or higher) keys, they will be distrusted, causing an outage. This is why crypto-agility is considered a critical practice in modern cybersecurity.
By definition, crypto-agility is the ability to swiftly make cryptography changes, such as switching between cryptographic standards in response to cryptographic vulnerabilities or changing security requirements.
As new crypto-threats emerge, replacing older and weaker crypto-standards with newer and safer versions becomes imperative. In this context, crypto-agility enables organizations to respond rapidly to crypto-threats and keep their infrastructures protected. For instance, with the threat of quantum computing looming large, the National Institute of Standards and Technology (NIST) is hard at work developing quantum-resistant algorithms. Once the algorithms are standardized, organizations will need to migrate their systems to post-quantum algorithms to protect themselves against encryption compromises, data breaches, and compliance violations. Those adept in crypto-agility will be better equipped to tackle the challenges inherent in large-scale migrations to Post-Quantum Cryptography (PQC).
In addition to responding to emerging crypto-threats, crypto-agility is also about adapting quickly to changing cryptography requirements. Google recently announced its plans to reduce the validity of public TLS certificates from 398 to 90 days. Transitioning to 90-day certificates also demands crypto-agility to effectively manage the lifecycle of short-lived certificates and prevent application outages and vulnerabilities.
How Can AppViewX CERT+ Help You Become Crypto-Agile?
-
Visibility
AppView CERT+ helps you discover and inventory all public and private trust certificates used in your organization. Knowing where your critical assets are helps scope the impact of weak crypto standards and vulnerabilities. The central inventory provides insights into critical certificate metadata, such as associated endpoints, certificate location, expiry date, owner, and Certificate Authority (CA). This helps analyze certificates for weak crypto standards (1024-bit RSA keys in this case) to identify high-risk instances that need to be switched to recommended standards (2048-bit length) on priority. This level of granular visibility allows organizations to quickly and efficiently prepare and remediate impacted certificates.
-
End-to-End Certificate Lifecycle Automation
Manual PKI and certificate lifecycle management processes are error-prone and inefficient, and can cause significant delays in renewing, revoking, and provisioning certificates. AppViewX CERT+ automates certificate lifecycle management end-to-end. Custom automation workflows with a visual builder facilitate one-click or zero-touch provisioning and renewals that help execute crypto upgrades seamlessly without causing operational disruption. Support for all major auto-enrollment protocols further enables the silent enrollment and provisioning of certificates, requiring no manual intervention, ensuring a seamless migration experience.
Automate certificate lifecycle management for efficiency, security, and compliance with AppViewX CERT+
-
Control – PKI Policies and Governance
AppViewX CERT+ helps establish and enforce organization-wide crypto policies around using, modifying, and retiring cryptographic standards, such as algorithms, protocols, key lengths etc., to ensure the use of the most current versions of cryptography (RSA 2048-bit or higher in this case). Automation ensures that strong policies are implemented and consistently enforced to avoid violations and ensure continuous compliance.
Migrate From Your Microsoft CA to a Cloud-based PKI
If you are running an internal Microsoft CA and are issuing 1048-bit RSA certificates, you will be impacted by Microsoft’s deprecation. As you plan your migration efforts to 2048-bit RSA keys, now might be the right time to consider migrating away from your Microsoft CA as well. Although Microsoft Active Directory Certificate Services (AD CS), a traditional PKI solution, may have been the obvious choice for legacy on-premises environments, it falls short in meeting the PKI demands of today’s cloud-first IT infrastructures.
Running an in-house Microsoft CA can be very complex, time-consuming, and expensive. Keeping the CA keys safe and secure while still allowing the issuance, renewal, and revocation of end-entity certificates can be a huge operational burden on PKI teams. Even from a cost perspective, running a Microsoft CA is not feasible. In addition to the hardware and software costs of deploying the private PKI infrastructure, you have to invest in hiring PKI experts to manage and maintain it round-the-clock.
Migrating to PKI-as-a-Service with AppViewX PKI+
AppViewX PKI+ is a ready-to-use, scalable, and compliant PKI-as-a-Service that simplifies the complexity of operating a private PKI. With AppViewX PKI+, enterprises can set up a robust and secure certificate authority (CA) hierarchy for issuing private trust certificates within minutes, along with other crypto policies. There is no need to invest in costly PKI hardware, CA software, or scarce security professionals. The AppViewX PKI+ lift-and-shift feature works directly with Group Policy and native Windows Auto-enrollment to streamline the migration from a legacy PKI such as Microsoft CA to AppViewX PKI+. AppViewX handles the heavy lifting while you shift from on-prem PKI to a modernized PKIaaS in minimal time.
As a complete solution, AppViewX PKI+ combined with AppViewX CERT+ provides a centralized solution for modern private PKI and end-to-end certificate lifecycle automation. Enterprises can benefit from a secure and compliant PKI-as-a-Service, along with the robust policy engine and crypto-agile automation of AppViewX CERT+.
Crypto-Agility is Pivotal for a Secure Digital Future
The need to build crypto-agility has never been more apparent. From the standardization of Post Quantum Cryptography (PQC) to Google’s proposal for 90-day certificates and Microsoft’s decision to phase out vulnerable RSA keys, there is a palpable shift towards prioritizing stronger and more robust security measures. There is a growing sense of responsibility all around toward safeguarding and upholding digital trust. Organizations also need to be proactive in their approach to adapting to new developments and combating emerging threats. At the heart of this readiness lies crypto-agility. Whether it is to build quantum resilience or ensure your PKI is compliant with industry standards, crypto-agility is indispensable going forward.
To learn more about how AppViewX can help you become crypto-agile, request a demo today.