SSL Certificate Chain Contains RSA Keys Less Than 2048 bits (PCI DSS)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The X.509 certificate chain used by this service contains certificates
with RSA keys shorter than 2048 bits.

Description :

At least one of the X.509 certificates sent by the remote host has a
key that is shorter than 2048 bits. According to industry standards
set by the Certification Authority/Browser (CA/B) Forum, certificates
issued after January 1, 2014 must be at least 2048 bits.

Some browser SSL implementations may reject keys less than 2048 bits
after January 1, 2014. Additionally, some SSL certificate vendors may
revoke certificates less than 2048 bits before January 1, 2014.

Note that Nessus will not flag root certificates with RSA keys less
than 2048 bits if they were issued prior to December 31, 2010, as the
standard considers them exempt.

See also :

https://www.cabforum.org/Baseline_Requirements_V1.pdf

Solution :

Replace the certificate in the chain with the RSA key less than 2048
bits in length with a longer key, and reissue any certificates signed
by the old certificate.

Risk factor :

Medium

Family: General

Nessus Plugin ID: 73459 ()

Bugtraq ID:

CVE ID: