IBM Support

error "Illegal Key size" when trying to generate a Certificate Signing Request

Technical Blog Post


Abstract

error "Illegal Key size" when trying to generate a Certificate Signing Request

Body

You are using GSKit provided with WebSphere Application Server to generate a certificate signing request or a self-signed certificate to be used with Maixmo, and when running the java version of the command "gsk7cmd" to generate a 4096 bit key, you receive an invalidkeyexception showing the error "illegal key size".
 
How do you fix it?
 

If the policy files associated with this jre being used are not allowing you to create a 2048 bit certificate, you will need to replace the policy files with the jre.  Older jres disable larger key sizes by default.

The correct way to resolve this problem is to download and replace 2 policy jar files.
They are found in %JAVA_HOME%/jre/lib/security and are called:

local_policy.jar
US_export_policy.jar

You can download the policy jar files from here:

http://www.ibm.com/developerworks/java/jdk/security/index.html

Your policy files "local policy file" may contain restrictions that can be replaced manually but it is not the recommended approach because incorrect changes to the file can cause ssl to stop working.

As an example of how to enable other cryptos, the local_policy.jar file contains a file called default_local.policy.  In that text file, specific crypto permissions are granted:

see example of the restrictions found in the file below:

// Some countries have import limits on crypto strength. This policy file is worldwide importable.
grant {
    permission javax.crypto.CryptoPermission "DES", 64;
    permission javax.crypto.CryptoPermission "DESede", *;
    permission javax.crypto.CryptoPermission "RC2", 128,
                                     "javax.crypto.spec.RC2ParameterSpec", 128;
    permission javax.crypto.CryptoPermission "RC4", 128;
    permission javax.crypto.CryptoPermission "RC5", 128,
          "javax.crypto.spec.RC5ParameterSpec", *, 12, *;
    permission javax.crypto.CryptoPermission "RSA", 2048;
    permission javax.crypto.CryptoPermission *, 128;
};


You can replace the contents of this file with the contents shown below:

// Country-specific policy file for countries with no limits on crypto strength.
grant {
    // There is no restriction to any algorithms.
    permission javax.crypto.CryptoAllPermission;
};

[{"Business Unit":{"code":"BU005","label":"IoT"}, "Product":{"code":"SSLKT6","label":"Maximo Asset Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11132593