Open Einstein42 opened 5 years ago
For modern implementations the keySize should default to 2048 anyway, and as you rightly point out should be applied to both keys.
PR incoming...
I had this error with OpenSSL 1.1.1j (2021-02-16) because of private key size is only 1024 bit as default.
Please increase the default private key size to 2048 bit!
https://github.com/jfromaniello/selfsigned/blob/7bd58764439eee6198895338fd2f6e388f5833d0/index.js#L113
var pems = await selfsigned.generate(attrs, opts)
Trying use the client certificate to connect to the server. In this case MQTT.JS connecting to AEDES.
On debian I receive the error message
Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
OpenSSL 1.1.1d 10 Sep 2019
Only way around it is to modify: /etc/ssl/openssl.cnf and change:
CipherString = DEFAULT@SECLEVEL=2 to CipherString = DEFAULT@SECLEVEL=1
I believe the issue is the referenced issue above and generating the client certificates as 1024 bit. SECLEVEL=2 requires minimum of 2048 bit.
Expose a option for clientCertificateKeySize just like you use keySize for the server side and that should satisfy the requirements. That or just use keySize for both would be fine as well.