Impact from Microsoft Update for Minimum Certificate Key Length

📖 Home  Back  

Problem

Microsoft has released update KB2661254 for all operating systems including Windows XP Service Pack 3/Vista/7 (32bit & 64bit) and Windows Server 2003/2008 (32bit & 64bit).  This update has a direct impact on ClearSCADA (WebX in particular) as it restricts the minimum certificate length to 1024 bits.  WebX users who are currently using 512 bit certificates will suddenly find an abrupt change in performance once this update is installed.  The effects of installing KB2661254 on systems that use a 512 bit certificate are as follows:

• WebX will no longer connect or display any data from the ClearSCADA database
• ViewX client side scripts will stop working (as they connect to the ClearSCADA server over the secure web socket)

NOTE: ClearSCADA systems using 1024 bit or greater certificates are not affected by this update

Solution

There are several possible solutions to this issue for customers who are using 512 bit certificates:

Certificates larger than 512 bits are only supported on CS 2009 R2.4 and above. If purchasing new certificates to replace old ones please note that intermediate certificates are only supported in CS 2010 R3 and above. Most certificate authorities now sell intermediate by default.

• Upgrade to a 1024 or 2048 bit certificate
• If the certificate was purchased (e.g. from Verisign) then an updated certificate will need to be purchased
• If the certificate was generated by ClearSCADA then deleting the existing certificate (*both* the private key and certificate files) and then restarting the ClearSCADA server will generate a new self-signed certificate.

The location of the private key and certificate files are defined the the following registry keys:

HKLM\SOFTWARE\Schneider Electric\ClearSCADA\DB\WebSSLPrivKeyHKLM\SOFTWARE\Schneider Electric\ClearSCADA\DB\WebSSLPubCert

The key length for certificates generated by ClearSCADA is defined by the following registry key (needs to be at least 1024):

HKLM\SOFTWARE\Schneider Electric\ClearSCADA\DB\WebSSLKeySize

• Flush the old certificates from client machines by going to (Internet Options - Content - Clear SSL State)
• Reduce the minimum key length back to 512 bits on the client machine:

Certutil -setreg chain\minRSAPubKeyBitLength 512

See http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx for more details.

Go: Home Back