Certificate from CSR results in "Illegal key in request, Invalid key size"

  • emfau

    emfau - 2013-08-15

    Hi all,

    I'm totally lost and hope for help over here...
    I have a running EJBCA-Installation with a set of different Root-CAs, certificate and end entity profiles - all working nice so far. The trouble starts when I wanted to renew an end entity's certificate because the key now resides in an HSM. Trying to enroll by using "Create Certificate from CSR" always gives me an
    "EJBCA Certificate Enrollment Error
    Username: xxxxx
    Invalid Key in request: Illegal key length: 1024... Please supply a correct request"

    The most basic checks doesn't show any obvious problem - when using the "Inspect certificate/CSR" from the public web the request is parsed just fine. A test with openssl shows the CSR actually contains a 2048 bit RSA key. All profile settings related to key size are set and fixed to only 2048 bit.
    It doesn't matter wether I paste the request as PEM object or do the upload via the file selection mechanism as PEM or DER.
    To make sure that the request isn't the culprit I also generated a CSR with openssl but same result.

    Oh, not to forget - the unrestricted policy files are installed.

    Any idea what I'm doing wrong?


  • emfau

    emfau - 2013-08-16


    after looking in the code I finally realized my misconception of the CSR option. I thought that by definition this would only apply to key material that is generated on part of the user and would operate on the public key provided with the request. But as long as you don't follow what is clearly stated in the documentation

    Under "Token", choose "User Generated".

    for any incoming CSRs a new key pair will be generated. So a layer 8 problem, sorry....
    But still one thing seems a little odd to me - the fact that a key with 1024 bits is generated even though neither the certificate profile nor the ca profile allows for this key size. Also I couldn't find a way to configure or ask for 2048 bits?
    Is this just an "issue" because I was using the CSR option combined with a wrong configuration or sort of a problem/bug?

    Sorry for the noise again

  • Tomas Gustavsson

    Yes when you select a "token" type the CSR is completely ignored. This is as designed. If you instead of trying to send a CSR to generate a server generated token choose "generate keystore" you can select the keysize.

    In next major release of EJBCA we have introduced an error condition to prevent this mistake, you will not be able to submit a CSR and get something back unless you have "User generated" selected.


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.


      X GONGGARENQING - 2016-04-20

      Hi Tomas,

      I am using openssl cmpclient to get certificate from EJBCA. I am using 2048 key size from EE private key and for the CA.

      But when trying to get certificate, it always failed bcz of illegal key size. But it is ok for 4096 key.

      I checked your docs, i don't think this is related to Unlimited strength crypto policy files.

      I am using EJBCA 6.3.2.

      INFO: Sending Initialization Request
      140363696039592:error:3209608B:CMP routines:CMP_doInitialRequestSeq:pkibody error:cmp_ses.c:381:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: Illegal key length: 2048."


  • Tomas Gustavsson

    chck your certificate profile


      X GONGGARENQING - 2016-04-21

      Thanks a lot....since I configured profile through GUI....The Available bit lengths doesn't like indicating only accept certain keys...it shows Available bit lengths and list all....May be we can change it to select box like Default Certificate Profile in EE proflile. Anyway thanks again for your hint.


Log in to post a comment.