Weak Keys System Check
- Currently 2048 bit key size with an exponent of at least 65537 is recommended.
- We are also checking for the debian vulnerability in client certs, because OpenSSL may be used as a library e.g. by browsers (maybe Konqueror?). Just to be on the safe side.
- You are linked to this page because your used key size or the exponent used for your key is identified to be too small or your key is listed in the openssl-blacklist
Cause: Small Key Size
If the key is too small:
- The keys that you use are very small and therefore insecure. Please generate stronger keys.
Currently 2048 bit key size with an exponent of at least 65537 is recommended (see <NIST>)
More information about this issue can be found in How to prevent Small Key size and Suggest Key Sizes
Cause: Exponent is too small
If the exponent is too small:
- The keys you use might be insecure. Although there is currently no known attack for reasonable encryption schemes, we're being cautious and don't allow certificates for such keys. Please generate stronger keys.
- Currently 2048 bit key size with an exponent of at least 65537 is recommended.
More information about this issue can be found in <NIST>
To prevent small exponents you should follow the instructions under How to prevent Small Exponents
Cause: Debian Vulnerability
If the key is refused because of the debian vulnerability:
- The keys you use have very likely been generated with a vulnerable version of OpenSSL which was distributed by debian. Please generate new keys.
More information about this issue can be found in Debian Vulnerability Handling
Arbitration case a20110312.1