Technical Blog Post
error "Illegal Key size" when trying to generate a Certificate Signing Request
If the policy files associated with this jre being used are not allowing you to create a 2048 bit certificate, you will need to replace the policy files with the jre. Older jres disable larger key sizes by default.
The correct way to resolve this problem is to download and replace 2 policy jar files.
They are found in %JAVA_HOME%/jre/lib/security and are called:
You can download the policy jar files from here:
Your policy files "local policy file" may contain restrictions that can be replaced manually but it is not the recommended approach because incorrect changes to the file can cause ssl to stop working.
As an example of how to enable other cryptos, the local_policy.jar file contains a file called default_local.policy. In that text file, specific crypto permissions are granted:
see example of the restrictions found in the file below:
// Some countries have import limits on crypto strength. This policy file is worldwide importable.
permission javax.crypto.CryptoPermission "DES", 64;
permission javax.crypto.CryptoPermission "DESede", *;
permission javax.crypto.CryptoPermission "RC2", 128,
permission javax.crypto.CryptoPermission "RC4", 128;
permission javax.crypto.CryptoPermission "RC5", 128,
"javax.crypto.spec.RC5ParameterSpec", *, 12, *;
permission javax.crypto.CryptoPermission "RSA", 2048;
permission javax.crypto.CryptoPermission *, 128;
You can replace the contents of this file with the contents shown below:
// Country-specific policy file for countries with no limits on crypto strength.
// There is no restriction to any algorithms.