How does this 2048bit SSL requirement affect existing internal PKIs?

Solution 1:

Microsoft pushed an update in October of 2012 that made SSL certificates under 1024-bits not validate as secure. That particular update also removed weak-key validation for any certificates in the chain, which would include older Authorities signed with weak keys. The question is, will they do so again for 2048-bit certificates, and if so how soon?

They definitely will do so, but there is no guidance on how soon that may happen. It could be next year, it could be five years from now. When they did it last time they gave us a month's notice, but best-practice had been to use 2048 bit certificates for some time.

What is happening is that the Certificate Authorities are moving to stronger certificates, and external SSL checkers are going to start complaining about weak certificates when they run into 1024bit ones. Certain high-profile vendors are doing so as well.

This is your sign to start the manual process of upgrading your central certificate to something stronger. It'll take a long time, probably a couple years, but it can be done smoothly now rather than in a panic when the formal deprecation notice arrives.

As a side note, those of us who, erm, created internal authorities for use entirely internally and just used the default key-size for whatever PKI we picked, and decided to avoid the re-keying fiasco by setting the expiry date on that default-key-size certificate to 2030? We, ahm, kinda made a mistake there.

Sure, we kept that key on a printed piece of paper in a bank vault requiring biometric access. But if brute-force methods allow a perp to completely factor the key in 2015, all that fun protection is meaningless. This is the lesson we're learning now.

Re-keying fiasco commencing.