כניסה
 
עמוד הביתספריהלמדהורדותאיתר וטיפל בבעיותקהילהפורומים
משאבים למומחי מחשוב >
Are there any major compatibility issues with using > 2048 bit CA keys?

Answered Are there any major compatibility issues with using > 2048 bit CA keys?

  • יום רביעי 25 אפריל 2012 02:00
     
     
    היכנס כדי להצביע
    0

    Hi everyone,

    I found a few threads in the past that recommend caution when using key sizes larger than 2048 bits in a PKI hierarchy given that some older software and hardware may have issues. Older versions of Java and Cisco VPN 3000 concentrators have been mentioned.

    I notice all of the major public certificate vendors use 2048 bit CA key sizes - but I would imagine these would be constrained to supporting the lowest common denominator.

    Has anyone deployed their PKI using 4096 bit CA keys in their hierarchy - eg offline root? If so have you come across any compatibility issues other than the ones above?

    Is there a list of software/hardware other than those I've mentioned earlier that are known to have compatibility issues with >  2048 bit CA keys?

    Finally,  If I did go with a 4096 bit root CA key in my hierachy and subsequently encounter issues, is "downsizing" as simple as regenerating the root CA key with a 2048 bit keysize?

    tia

     

כל התגובות

  • יום רביעי 25 אפריל 2012 16:29
     
     תשובה
    היכנס כדי להצביע
    0

    Hi,

    I have used 4096bit for quite a few AD CS deployments and never had a problem. Hopefully most modern-day vendors and solutions should be able to cope with a 4096 bit key by now. 

    The choice of hashing algorithm like SHA2, rather than key length, seems to be more real-world impacting from what I have seen...

    I know 2048 is the safer option if you want to provide the maximum level of compatibility, but I think you know that ;)

    Cheers

    JJ 

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    • סומן כתשובה על-ידי pb3000 יום שלישי 01 מאי 2012 16:57
    •  
     
  • יום שלישי 01 מאי 2012 16:57
     
     
    היכנס כדי להצביע
    0

    Jason,

    Thank you for your very helpful reply. Apologies for the delay I was was unable to login to the forums for a while.

    Will bear your advice in mind going forward. 

    Can anyone advise whether it is possible to downsize to a smaller key (or upsize to a larger one) by simply generating a new key pair on the CA(s)?

     
  • יום שלישי 01 מאי 2012 17:31
     
     תשובה
    היכנס כדי להצביע
    0

    Yep, you can resize in both directions (using CAPolicy.inf)

    Here are my known "bad" apps that cannot work with CA keys > 2048 bits

    - Cisco VPN 3000 concentrators

    - Nortel Contivity devices

    - Java applications compiled prior to Java RTE 1.5

    Brian

    • סומן כתשובה על-ידי pb3000 יום שלישי 08 מאי 2012 15:49
    •  
     
  • יום רביעי 02 מאי 2012 13:14
     
     
    היכנס כדי להצביע
    0

    This might be worth a look too: http://www.keylength.com/

    Cheers

    JJ

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk