Symantec Endpoint Protection may be affected by Microsoft Security Advisory KB 2661254 if the administrator has configured client communications via SSL with a self-signed certificate using a key length less than 1024 bits. In this situation the administrator must take steps to ensure client-to-server communication is not disrupted.
Microsoft released an update (KB 2661254) on August 14, 2012, which ends support for certificates using the RSA algorithm that has key lengths less than 1024 bits. After applying Microsoft’s update, all certificates with key lengths less than 1024 bits will be treated as invalid.
The update is available on the Microsoft Download Center as well as the Microsoft Update Catalog for all supported releases of Microsoft Windows. In addition, Microsoft is planning to release this update through Microsoft Update in October, 2012 after customers have a chance to assess the impact of this update and take necessary actions to use certificates with RSA keys greater than or equal to 1024 bits in length in their enterprise.
You can find more information about the update in the following links:
Description and Instruction for Updating Certificates
http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
· Description and Instruction for Workarounds
http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx
This update does not impact Symantec Endpoint Protection with respect to code signing and authenticode or internally-issued and leveraged certificates. Signed code and internally issued/used certificates leverage 1024 bit key length certificates or higher.
This update may impact customers who meet the following criteria:
If these three criteria are met, Symantec Endpoint Protection clients will stop communicating with the management server.
(Note: If Microsoft KB 2661254 is applied to the management server only (not clients), client communication is unaffected. However the Home, Monitors, and Reports windows cannot be displayed and the web console cannot login.)
Symantec recommends reviewing certificates that are used for SSL communication to ensure they are 1024 bit or higher.
Symantec recommends reviewing certificates that are used for SSL communication to ensure they are 1024 bit or higher.
To determine the certificate length for SEP 11.0 in Windows 2003
If the certificate key length is less than 1024 bits, follow the instructions below to mitigate or remediate the issue.
To determine the certificate length for SEP 11.0 in Windows 2008
If the certificate key length is less than 1024 bits, follow the instructions below to mitigate or remediate the issue.
To determine the certificate length in SEP 12.1
Before installing KB 2661254, the SEPM administrator can mitigate the issue by creating and installing a new certificate. The newly-created certificate must have a key length of 1024 bits or higher.
To prevent the issue for SEP 12.1
For SEP 12.1, follow the steps in the Symantec Endpoint Protection Implementation Guide, sections “Upgrading a server certificate” and “Upgrading server security certificates without orphaning clients.”
To prevent the issue for SEP 11.0 on Windows Server 2003
For SEP 11.0 on Windows 2003, remove the old SSL certificate from the SEPM IIS web site, install a new one, and then perform the steps outlined in Configuring Secure Sockets Layer (SSL) to work with the Symantec Endpoint Protection 11.x reporting functions on Windows Server 2003.
To remove the existing certificate on Windows 2003
To prevent the issue for SEP 11.0 on Windows Server 2008
For SEP 11.0 on Windows 2008, remove the old SSL certificate from the SEPM IIS web site, install a new one, and then perform the steps outlined in Configuring Endpoint Protection Manager (SEPM) for SSL on Windows 2008.
To remove the existing certificate on Windows 2008
If you have already installed KB 2661254 and are experiencing certificate rejection on the client, you will need to take one of the following remediation actions:
Use SylinkReplacer to restore communications
Note: You will need to contact Symantec Technical Support to obtain the SylinkReplacer tool.
Use Microsoft certutil to temporarily lower the key length restriction
Note: The certutil command will affect all certificate checks on the client.
Replication environment concerns
After updating the certificate in a replication environment, the SEPM administrator must ensure that each replication partner trusts the new certificate.
To trust the new certificate in SEP 12.1
To trust the new certificate in SEP 11.0