## 20160522 AK ---- [[WeakKeys/CZ|Ĩesky]] | '''english''' ---- = Weak Keys System Check = . Currently (A.D.2014) 2048 bit key size with an exponent of at least 65537 is recommended therefor CAcert '''only''' signs certificates with a key size of at least 2048 bit. . We are also checking for the debian vulnerability in client certs, because OpenSSL may be used as a library e.g. by browsers (maybe Konqueror?). Just to be on the safe side. . You are linked to this page because your used key size or the exponent used for your key is identified to be too small or your key is listed in the openssl-blacklist <> == Cause: Small Key Size == If the key is too small: . The keys that you use are very small and therefore insecure. Please generate stronger keys. . Currently (A.D.2014) 2048 bit key size with an exponent of at least 65537 is recommended (see [[http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf|]]) . More information about this issue can be found in [[WeakKeys/SmallKey|How to prevent Small Key size]] and [[SuggestKeySizes|Suggest Key Sizes]] <> == Cause: Exponent is too small == If the exponent is too small: . The keys you use might be insecure. Although there is currently no known attack for reasonable encryption schemes, we're being cautious and don't allow certificates for such keys. Please generate stronger keys. . Currently (A.D.2014) 2048 bit key size with an exponent of at least 65537 is recommended. . More information about this issue can be found in [[http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf|]] . To prevent small exponents you should follow the instructions under [[WeakKeys/SmallExponent|How to prevent Small Exponents]] <> == Cause: Debian Vulnerability == If the key is refused because of the debian vulnerability: . The keys you use have very likely been generated with a vulnerable version of OpenSSL which was distributed by debian. Please generate new keys. . More information about this issue can be found in [[DebianVulnerabilityHandling|Debian Vulnerability Handling]] == Problems with renewing of certificates == If you have been linked to this page during the certificate renewal the '''only''' solution is to create a '''new''' certificate with the approbriate key settings. For this you have to [[CSRGenerator|create a new Certificate Signing Request (CSR)]] with your browser or preferred by using an external program. ---- . Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] ---- . CategorySystems . CategorySoftware