Is it possible to specify Active Directory PKI key size throuth CSR

Oleg Gritsak

7/22/24, 12:53 PM

When I request certificate from Letsencrypt, put key and fullchain.cer in nginx config - everything works fine.

The same for Active Directory is not working.

-I generate key (tried rsa 2048 or 4096 bits, ec with default curve and settings)

-Then generate CSR

-Upload CSR to local PKI site

-Get PEM certificates (certnew.cer - certificate , certnew.p7b - fullchain)

-Convert from PKCS #7 to PEM

openssl pkcs7 -print_certs -in certnew.p7b  -out 3cer

the contents look like valid fullchain. But nginx is not starting

SSL_CTX_set0_chain("/etc/nginx/ssl.pem") failed (SSL: error:1415418D:SSL routines:ssl_cert_set0_chain:ca key too small)

Some funny fact - if I put single certificate certnew.cer as nginx server.ssl_certificate everything seems to work (although it is not fullchain and AFAIK this shouldn't work)

I'm not AD admin. I can only change CSR parameters or add "attributes" in AD PKI textbox (but I didn't find any documentation what's this for).

Can I force AD to use larger key? Or maybe this nginx error message is misleading?

1 + 3

active-directory

nginx

pki

dave_thompson_085

7/23/24, 1:47 AM

If the CA issues your cert directly under its root, then having the TLS server (nginx) serve only the EE/leaf cert is correct. A real CA like letsencrypt will NEVER do this, but a 'local PKI' _might_. If the local PKI does use an intermediate cert and you don't put it in the nginx configuration, that's officially nonstandard but _some_ clients, particularly browsers, _sometimes_ accept it anyway, while other clients (especially software like curl wget nodejs python ...) will reject it.

dave_thompson_085

7/23/24, 1:53 AM

However it _may_ be possible to get (OpenSSL in) nginx to accept a smaller CA key by lowering SECLEVEL. What versions of nginx and OpenSSL, and what if anything does your nginx config say for `ssl_ciphers` and `ssl_conf_command`?

Oleg Gritsak

7/25/24, 4:42 PM

dave_thompson_085, thanks a lot. SECLEVEL is a good hint. If AD admins will not make good cert, this looks like a solution.

Score:0

Server

garethTheRed

7/22/24, 4:48 PM

Your key size is defined when you generate the certification request, not by the CA when its signing the request. So, no, you cannot force AD Certification Authority (CA) to use a larger key as the key is already generated by the time it gets to the CA.

Saying that, if you use Windows to generate the certification request, the minimum (read default) size for requests is defined in the certificate template.

As you state that the error isn't emitted if you use only the server certificate (no CA chain), then this suggests that the server certificate is fine.

Check the size of the CA certificate itself. I'd wager that this is too small for a modern server/service to accept.

+ 1

dave_thompson_085

7/23/24, 1:49 AM

The error code is explicitly "ca key too small" -- CA NOT EE. The CA cert and key are determined by the CA, and in general to get a larger CA key you must use a different CA, which it doesn't appear OP can.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it possible to specify Active Directory PKI key size throuth CSR

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.