Select Page
This entry has been published on 2012-10-16 and may be out of date.

Last Updated on 2012-10-16.

When you install the Microsoft KB2661254 update, it can cause problems if you use e.g. an internal certificate authority in your local network. This update marks all certificates with public keys with length below 1024 as invalid.

So you have 2 options:

– Remove the update

– Probably better: Renew the key of the certificates


I use an old Windows 2000 Server for my internal CA, and the root certificate only had a key length of 512 bits. To renew it, open your CA application, right-click on your CA and select “renew”. Then choose the option to also renew the key of it. By default, the new key has now a length of 1024 bits.

If you want a longer key, create a file CAPolicy.inf under %windir% with the following content:

Signature= “$Windows NT$”

Now restart the CA service and after renewing your certificate, it should have a key length of 4096.

You maybe also want to deploy your new CA certificate via GPO. Use your Group Policy Editor and replace the old one.

If you are using MS Lync 2010 in your local network, you maybe have to renew the certificate via the Setup Wizard.