Different RSA keySize setting for root certifcates
Sean Mullan
sean.mullan at oracle.com
Mon Nov 24 14:34:27 UTC 2025
Hi Ben,
Thanks for your suggestion. It might be something to consider later if
we find that it is causing many issues. However, in general we want the
restrictions to be enforced consistently across all certificates used in
a certificate chain.
That said, you could apply these stronger restrictions to TLS server
certificates by implementing a CertPathChecker that enforces the
4096-bit rule, and adding that to the PKIXParameters of a
CertPathChecker. With JSSE this can be done via
javax.net.ssl.CertPathTrustManagerParameters.
--Sean
On 11/21/25 2:34 AM, Benjamin Marwell wrote:
> Dear security-dev list members!
>
> Recently I was thinking I could raise the RSA restrictions to >= 4096,
> i.e. setting something like this:
>
> jdk.tls.disabledAlgorithms=..., RSA keySize < 4096
>
> However, while all TLS server certificates do have RSA 4096 (or EC)
> nowadays, root certificates are another game.
> They often still use RSA 2048, and this is perfectly fine, according to
> most comments by security researchers I have seen.
> So, applying this setting will lead to most server connections being
> rejected.
>
> Now, I wonder if we could have two settings.
> We already have `jdk.security.caDistrustPolicies`.
> Maybe we could have `jdk.tls.disabledCaAlgorights` which defaults to
> `jdk.tls.disabledAlgorithms` if not specified.
> Or maybe something along those lines.
>
> This way, we could enforce RSA4096 server connections via TLS,
> but still allow those certs to be signed with a root CA that still uses
> RSA2048.
>
> I know, this is of limited use in most environments, but I still wanted
> to introduce you to this idea.
>
> Please let me know if this is a sensible request.
>
> Thanks!
> - Ben
More information about the security-dev
mailing list