Re: [Ejbca-develop] 4096 bit keys??

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi, very lame that Sun does not support 4096 bit keys. I found another 
reference on this.
I tested some more, now on a 1GHz system, and on that it seems to works 
every tome to create the CA. It also works fine using it so generate 
browser certs etc, I got a 2048bit key signed by the 4096 bit CA for my 
Mozilla client.
The only thing not working with 4096 bit keys are then batch generation 
of users, which must be done by the command line interface.

A good example of a hierarchy with keysizes would be:
Root - 4096
           |
     SubCA - 2048
                  |
          End user - 1024

The 4096 bit CA is only used to sign subCAs.

Cheers,
Tomas

Ken Gunderson wrote:

>On Sunday 30 May 2004 10:59 am, Tomas Gustavsson wrote:
>  
>
>>I added stuff in jboss.xml that is supposed to increase the timeout
>>in JBoss 3.2.4, haven't tested it though.
>>Since keygeneration takes different time (depending on random
>>factors), it might work the next time you try. I managed to do it on
>>my 800MHz pc, perhaps every second time it worked and every second
>>time it timed out.
>>    
>>
>
>You must be psychic;-)  I'm just messing around with this again 
>now....;-)
>
>This particular test bed is PIII 700 MHz w/1024MB ram.  I thought 
>perhaps the success/failure maybe timeout issue related to time 
>required to generate sufficient randomness prior to actual key 
>generation.  So I configure machine to gather additional randomness 
>from NIC and disk controller IRQ's, run a find on some obscure file, 
>add some additional tcp/ip traffic, key generation runs a bit faster, 
>but still times out.  2048 bit keys are generated in short order 
>though, so I rule out "wimpy hardware", especially since no problem 
>whatsoever creating 4096 bit keys via OpenSSL (on even 300 MHz 
>machines).  
>
>I thought might be related to timing out once key is created but not yet 
>transferred to db.  Double checked my.cnf to make sure 
>max_allowed_packet was not set to something ridiculous small default, 
>but it's a MB, so should not be the bottleneck.  DB is on 2nd machine 
>though connected via 100baseTX.
>
>  
>
>>I found another bug that you can't fetch the CA-cert using the
>>command line interface though. Will look into this later, perhaps SUN
>>Java can't handle 4096 bit keys?
>>It works using the webGUI though you can download the CA-cert from
>>http://localhost:8080/ejbca/publicweb/webdist/cacert.jsp
>>    
>>
>
>My first attmepts were indeed via command line.  I've subsequently tried 
>via gui and determined that the keys are created and make it to the 
>database.  I can also then use the keys to create other keys, but of 
>course they also timeout...  But are then subsequently accessible via 
>gui.
>
>I thought Java could handle 4096 bit keys.  However, looks like I was 
>incorrect....
>
>rootshell# keytool -genkey -alias foobar -keystore foobar.jks -keyalg 
>RSA -keysize 4096 -sigalg SHA1withRSA -storepass foopass
>
>keytool error: java.lang.IllegalArgumentException: Modulus size must 
>range from 512 to 2048
>
>Now how lame is that???  RSA supports keysizes MUCH larger than 2048 
>bits...
>
>I'm not a PKI guru, but I thought you were supposed to use large key 
>size for root CA keys, then could use smaller size as appropriate for 
>sub CA, end user, etc.
>
>  
>