I have recently written about two major reasons to keep your certificate stores clean:
- Microsoft KB2661254 invalidates certificates with a key length of 1024 bits or smaller on all supported Windows systems.
- Microsoft's algorithm for searching and scanning certificates in the Trusted Root Certification Authorities store fails if the store contains more than 200 certificates.
From an even broader perspective, you should keep your certificate stores clean in the same manner you limit the software installed on your systems. The same best practice applies to both scenarios: If you're not using it or don't know what it is, get rid of it!
That said, consider "clean" certificate stores as being those free of any outdated, unwanted, or unneeded certificates. Outdated or unnecessary certificates can cause a lot of problems for SysAdmins. And the maintenance needs to happen both on the CA and the application hosts. Both of the reasons mentioned above can cause your applications or websites to fail; and if your customers (be they external or internal) can't access the tools they need to do business, no one in the situation will be happy.
More About Clean Certificate Stores
The first reason I mentioned is the most pressing for the broadest audience. Currently, KB2661254 is only available for manual download in the Microsoft Download Center; but when Microsoft releases the update to Microsoft Update this month, things are liable to break if you don't plan ahead. The reason I say this is the update is classified as Critical, which means a vast majority of Windows systems out there will apply it automatically, and those systems will no longer be able to interface with websites or applications with weak certificates.
The other reason admittedly has a narrower scope, but it's important nevertheless. My colleagues and I have looked for documentation on why Microsoft's algorithm fails when certificate stores reach a certain capacity, but the best explanation we can come up with is they never expected the stores to get so big. Compare the certificate stores on your Windows 7 machines, for example, to those on XP systems, and you'll see the latter are a lot bigger. That's because Microsoft (and others), are constantly issuing new certificates, but few organizations (much less the issuers themselves) have a solid plan for ongoing certificate management. So what you end up with is certificate stores full of expired, replaced, or mystery certificates.
Recommendations for Cleanup
The recommendation for addressing the first reason is pretty straightforward: replace any certificates with a key length of 1024 bits or less with a stronger certificate ASAP. If you can't do that this month, and you have the necessary level of control over the computers that rely on those certificates, make sure those computers are not configured to automatically deploy KB2661254 when it goes live.
As for the second reason, we recommend reducing your certificate stores to about 180 certificates or less - just to play on the safe side. As you consider what certificates to remove, think of the following as "safe to delete":
- Expired certificates
- Unknown foreign certificates
- Certificates with a key length of 1024 bits or smaller
Managing the Cleanup
One of our products, SolarWinds Patch Manager, can help with both of these tasks, albeit indirectly. First, if you need to postpone the enterprise-wide deployment of KB2661254, Patch Manager can help you do that as an extension of Microsoft WSUS. Second, with the WMI inventory and reporting functionality within Patch Manager, you can view the certificates on all of your managed systems, and then decide what certificates to delete at an enterprise-wide level.
Whether you use Patch Manager or not, keep those certificate stores clean. Your servers and applications depend on it.