יום רביעי 25 אפריל 2012 02:00
I found a few threads in the past that recommend caution when using key sizes larger than 2048 bits in a PKI hierarchy given that some older software and hardware may have issues. Older versions of Java and Cisco VPN 3000 concentrators have been mentioned.
I notice all of the major public certificate vendors use 2048 bit CA key sizes - but I would imagine these would be constrained to supporting the lowest common denominator.
Has anyone deployed their PKI using 4096 bit CA keys in their hierarchy - eg offline root? If so have you come across any compatibility issues other than the ones above?
Is there a list of software/hardware other than those I've mentioned earlier that are known to have compatibility issues with > 2048 bit CA keys?
Finally, If I did go with a 4096 bit root CA key in my hierachy and subsequently encounter issues, is "downsizing" as simple as regenerating the root CA key with a 2048 bit keysize?
יום רביעי 25 אפריל 2012 16:29
I have used 4096bit for quite a few AD CS deployments and never had a problem. Hopefully most modern-day vendors and solutions should be able to cope with a 4096 bit key by now.
The choice of hashing algorithm like SHA2, rather than key length, seems to be more real-world impacting from what I have seen...
I know 2048 is the safer option if you want to provide the maximum level of compatibility, but I think you know that ;)
- סומן כתשובה על-ידי pb3000 יום שלישי 01 מאי 2012 16:57
יום שלישי 01 מאי 2012 16:57
Thank you for your very helpful reply. Apologies for the delay I was was unable to login to the forums for a while.
Will bear your advice in mind going forward.
Can anyone advise whether it is possible to downsize to a smaller key (or upsize to a larger one) by simply generating a new key pair on the CA(s)?
יום שלישי 01 מאי 2012 17:31
Yep, you can resize in both directions (using CAPolicy.inf)
Here are my known "bad" apps that cannot work with CA keys > 2048 bits
- Cisco VPN 3000 concentrators
- Nortel Contivity devices
- Java applications compiled prior to Java RTE 1.5
- סומן כתשובה על-ידי pb3000 יום שלישי 08 מאי 2012 15:49
יום רביעי 02 מאי 2012 13:14