+9
It appears with 11.36 keytool is cranking out 3072 bit requests. Even if I specifiy
-keysize 2048 the CSR is exactly the same as the default with no keysize specified and can’t be accepted by the CA (2048 or 4096 allowed). I did open a support case but since this question came up for the windows cvcerttool as well seems like many of us would like the ability to specify keysize.
Does anyone know if this is by design or if there is any enhancement request in the pipeline yet?
thanks
Best answer by Jacek Piechucki
No… everything works well…
2048b key
keytool -genkey -keysize 2048 -alias tomcat -keyalg RSA -keystore "C:\mykeystore-2048.jks" -ext SAN=dns:webconsole.lab.local
Enter keystore password:
Re-enter new password:
Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.
What is your first and last name?
[Unknown]: webconsole.lab.local
What is the name of your organizational unit?
[Unknown]: bb
What is the name of your organization?
[Unknown]: cc
What is the name of your City or Locality?
[Unknown]: dd
What is the name of your State or Province?
[Unknown]: ab
What is the two-letter country code for this unit?
[Unknown]: ba
Is CN=webconsole.lab.local, OU=bb, O=cc, L=dd, ST=ab, C=ba correct?
[no]: yes
Generating 2,048 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 90 days
for: CN=webconsole.lab.local, OU=bb, O=cc, L=dd, ST=ab, C=ba
3072b key
keytool -genkey -keysize 3072 -alias tomcat -keyalg RSA -keystore "C:\mykeystore-3072.jks" -ext SAN=dns:webconsole.lab.local
Enter keystore password:
Re-enter new password:
Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.
What is your first and last name?
[webconsola.lab.local]:
What is the name of your organizational unit?
[bb]:
What is the name of your organization?
[cc]:
What is the name of your City or Locality?
[dd]:
What is the name of your State or Province?
[ee]:
What is the two-letter country code for this unit?
[ab]:
Is CN=webconsola.lab.local, OU=bb, O=cc, L=dd, ST=ee, C=ab correct?
[no]: yes
Generating 3,072 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 90 days
for: CN=webconsola.lab.local, OU=bb, O=cc, L=dd, ST=ee, C=ab
4096b key
keytool -genkey -keysize 4096 -alias tomcat -keyalg RSA -keystore "C:\mykeystore-4096.jks" -ext SAN=dns:webconsole.lab.local
Enter keystore password:
Re-enter new password:
Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.
What is your first and last name?
[aa]: webconsole.lab.local
What is the name of your organizational unit?
[bb]:
What is the name of your organization?
[cc]:
What is the name of your City or Locality?
[dd]:
What is the name of your State or Province?
[ee]:
What is the two-letter country code for this unit?
[ab]:
Is CN=webconsole.lab.local, OU=bb, O=cc, L=dd, ST=ee, C=ab correct?
[no]: yes
Generating 4,096 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 90 days
for: CN=webconsole.lab.local, OU=bb, O=cc, L=dd, ST=ee, C=ab
CSRs are created in corresponding way.
+9doh, genkey needs the keysize not certreq.
No… everything works well…
2048b key
keytool -genkey -keysize 2048 -alias tomcat -keyalg RSA -keystore "C:\mykeystore-2048.jks" -ext SAN=dns:webconsole.lab.local
Enter keystore password:
Re-enter new password:
Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.
What is your first and last name?
[Unknown]: webconsole.lab.local
What is the name of your organizational unit?
[Unknown]: bb
What is the name of your organization?
[Unknown]: cc
What is the name of your City or Locality?
[Unknown]: dd
What is the name of your State or Province?
[Unknown]: ab
What is the two-letter country code for this unit?
[Unknown]: ba
Is CN=webconsole.lab.local, OU=bb, O=cc, L=dd, ST=ab, C=ba correct?
[no]: yes
Generating 2,048 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 90 days
for: CN=webconsole.lab.local, OU=bb, O=cc, L=dd, ST=ab, C=ba
3072b key
keytool -genkey -keysize 3072 -alias tomcat -keyalg RSA -keystore "C:\mykeystore-3072.jks" -ext SAN=dns:webconsole.lab.local
Enter keystore password:
Re-enter new password:
Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.
What is your first and last name?
[webconsola.lab.local]:
What is the name of your organizational unit?
[bb]:
What is the name of your organization?
[cc]:
What is the name of your City or Locality?
[dd]:
What is the name of your State or Province?
[ee]:
What is the two-letter country code for this unit?
[ab]:
Is CN=webconsola.lab.local, OU=bb, O=cc, L=dd, ST=ee, C=ab correct?
[no]: yes
Generating 3,072 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 90 days
for: CN=webconsola.lab.local, OU=bb, O=cc, L=dd, ST=ee, C=ab
4096b key
keytool -genkey -keysize 4096 -alias tomcat -keyalg RSA -keystore "C:\mykeystore-4096.jks" -ext SAN=dns:webconsole.lab.local
Enter keystore password:
Re-enter new password:
Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.
What is your first and last name?
[aa]: webconsole.lab.local
What is the name of your organizational unit?
[bb]:
What is the name of your organization?
[cc]:
What is the name of your City or Locality?
[dd]:
What is the name of your State or Province?
[ee]:
What is the two-letter country code for this unit?
[ab]:
Is CN=webconsole.lab.local, OU=bb, O=cc, L=dd, ST=ee, C=ab correct?
[no]: yes
Generating 4,096 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 90 days
for: CN=webconsole.lab.local, OU=bb, O=cc, L=dd, ST=ee, C=ab
CSRs are created in corresponding way.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
