česky | english
Weak Keys System Check
Currently (A.D.2014) 2048 bit key size with an exponent of at least 65537 is recommended therefor CAcert only signs certificates with a key size of at least 2048 bit.
- We are also checking for the debian vulnerability in client certs, because OpenSSL may be used as a library e.g. by browsers (maybe Konqueror?). Just to be on the safe side.
- You are linked to this page because your used key size or the exponent used for your key is identified to be too small or your key is listed in the openssl-blacklist
Cause: Small Key Size
If the key is too small:
- The keys that you use are very small and therefore insecure. Please generate stronger keys.
Currently (A.D.2014) 2048 bit key size with an exponent of at least 65537 is recommended (see <NIST>)
Cause: Exponent is too small
If the exponent is too small:
- The keys you use might be insecure. Although there is currently no known attack for reasonable encryption schemes, we're being cautious and don't allow certificates for such keys. Please generate stronger keys.
- Currently (A.D.2014) 2048 bit key size with an exponent of at least 65537 is recommended.
More information about this issue can be found in <NIST>
To prevent small exponents you should follow the instructions under How to prevent Small Exponents
Cause: Debian Vulnerability
If the key is refused because of the debian vulnerability:
- The keys you use have very likely been generated with a vulnerable version of OpenSSL which was distributed by debian. Please generate new keys.
More information about this issue can be found in Debian Vulnerability Handling
Problems with renewing of certificates
If you have been linked to this page during the certificate renewal the only solution is to create a new certificate with the approbriate key settings. For this you have to create a new Certificate Signing Request (CSR) with your browser or preferred by using an external program.
Arbitration case a20110312.1