Unusable RSA key of 3072 bits, only 1024 and 2048 are supported
Closed this issue · 5 comments
Hi, We are trying to configure a yubikey to code signing java.
But when trying to import a root certificate from sectigo, we are receiving the error: Unusable RSA key of 3072 bits, only 1024 and 2048 are supported
Yubikey model:
https://www.yubico.com/br/product/yubikey-5-fips-series/yubikey-5-nfc-fips/
import command:
ykman piv import-certificates 82 SectigoPublicCodeSigningCAR36.crt
I tried with:
yubico-piv-tool -s82 -aimport-certificate
The YubiKey PIV application is limited to the algorithms present in the PIV standard, hence only 1024 and 2048 RSA keys are supported.
@qpernil thanks for answering!
when I try to certify a jar file using jarsigner with yubico, I'm getting this warning:
Invalid certificate chain: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I imported the sectigo intermediate certificate to the yubico device but it made no difference.
I thought that importing root certificate might solve it.
any suggestions?
It looks like you're using JAVA with ykcs11. Is that correct.
The error is coming from JAVA so the intermediate certificate should probably be imported into the JAVA truststore, not the Yubico device.
The YubiKey PIV application is limited to the algorithms present in the PIV standard, hence only 1024 and 2048 RSA keys are supported.
Yes indeed.
As shown by pkcs11-tool -M RSA >=2048 is supported on my YubiKey series 4 but unfortunately not via PIV #58 (comment)
In my personal case I must code-sign Microsoft Windows executables with Authenticode (via signtool.exe or other utility) so the hardware token is now effectively useless, I've had to fallback to cloud signing.
This issue has been adressed now, you need a YubiKey 5.7+ to use RSA > 2048 via PIV