OS X Support of Certificate Key Length

Similar Messages

• ConfigMgr Certificate Support Clarification: CAs with 4096-bit RSA Key Lengths

  Hello,
  Does anyone know if ConfigMgr 2012 R2's certificate authentication will work with the following PKI configuration?
  Root CA - 4096 bit RSA
  Issuing CA - 4096 bit RSA
  ConfigMgr Client / ConfigMgr Servers - 2048 bit RSA
  I saw on the
  ConfigMgr Certificate Support Page that "AMT-based computers cannot support CA certificates with a key length larger than 2048 bits", but the other certificates are somewhat unclear. In this environment, I will not deploy AMT functionality.
  For example, the Windows client computers certificate requirements state "Maximum supported key length is 2048 bits.", but it isn't clear if that rule applies to the ConfigMgr Client certificate itself, or to the whole certificate chain including
  CAs.
  Dropps' post on
  this forum page seems to indicate that he has it working with a 4096-bit CA, but I'd like to hear some additional confirmation.
  Anyone out there running ConfigMgr certificates with a 4096-bit CA?
  Thanks!
  Frank Lesniak

  TL;DR: With the exception of out-of-band management/AMT, ConfigMgr 2012 works fine with a PKI hierarchy that includes 4096-bit key length RSA Root CA, Policy CA, and/or Issuing CA certificates. Just make sure that the certificates issued to
  the ConfigMgr servers and clients have a 2048-bit key length.
  Longer answer: Since I did not have any takers on this question, and since I needed an answer quickly, I decided to build a lab environment. I built a PKI hierarchy that is 4096-bit RSA with a SHA-256 signing algorithm. I created certificates templates per
  ConfigMgr requirements (with a 2048-bit key length) and deployed the appropriate certs to both the ConfigMgr server and client. Next, I installed ConfigMgr and configured site boundaries. Then I installed the ConfigMgr client on my client machine and
  watched the logs.
  Not only did the client initialize properly, the certificatemaintenance.log, clientidmanagerstartup.log, and clientlocation.log files all appeared happy.
  I think it's safe to say that ConfigMgr supports a 4096-bit PKI for everything but out of band management/AMT. Just make sure you limit the certs deployed to the ConfigMgr servers or clients to a 2048-bit key length.

• Key Length in Certificate Generator servlet

  The WebLogic SSL documentation suggests that the Certificate Requestor servlet in
  weblogic has a field to specify the keylength. However I do not find this option
  in the servlet form. Is there any other way to specify the key length? The default
  512-bit key that WebLogic generates would be inadequate for production purposes.
  I'm running WebLogic 6.1 SP2.
  Thanks!

  If the PublicKey is a RSAPublicKey, you can call getPublicExponent(), that returns a BigInteger. There's a method called bitLength() in BigInteger.

• Invalid key length on hard drive. Can this be fixed?

  Hello,
  I have a question about an error I am receiving with a hard drive I have been using for a few months on an imac G3 (the slot loading version). I bought this used 80 GIG hard drive on ebay for a friend of mine and I helped him transfer all his data from his older 9 GIG drive to this newer 80 GIG drive that I bought for him on ebay. I simply cloned the 9 GIG drive onto the new drive using Carbon Copy Cloner. There is not a lot of data on the drive - only about 3 GIGs of data.
  The drive is the only drive in the computer (an imac G3) and therefore it is the startup drive. The operating system on the drive is OS9. All was working fine for a few months until just last week. Now I am receiving this following error:
  error message:
  The disk "Macintosh HD" appears to be damaged. Use a disk repair utility to repair the disk.
  And so I used the disk utility built into OS9 to see if I could repair the problem. (I think OS9's disk utility is called "Disk First Aid")
  When using OS9s disk utility (I think it is called "Disk First Aid") the following report is issued:
  Problem: Invalid key length, 4,943
  Test done. Problems were found but Disk First Aid cannot repair them.
  My questions are:
  What is an "Invalid key length"?
  How serious is this?
  What would cause this?
  Could this have been caused by the physical condition of the disk or possibly by the software on the disk?
  Would re-formatting the drive fix it? (Of course I would try to save any data first onto another disk)
  Or is it risky to continue to use this disk even after reformatting it?
  I guess I have a lot of questions here and if anyone could make any suggestions or comment on why "Invalid key length" errors happen I would really appreciate it. Thanks:)
  Here are some details:
  When I bought the 80 GIG hard drive from ebay the first steps I took were to format the drive using OS9's "drive setup", load the OS9 drivers and then I verifed the disk. The disk seemed to be fine. Then I cloned his old drive onto this 80 GIG drive using Corbon Copy Cloner. I was sure the 80 GIG drive was in a healthy state at that time and I trusted it enough to give it to my friend for his startup drive. Now that the drive has failed with his data and programs, I feel pretty bad. How could this "Invalid key length" error occur?
  Should I go back to the person who sold me the drive on ebay and ask for a refund? Or are "Invalid key length" errors a common occurance with hard drives that should just be accepted? Or might it possibly be the contents (data) on my friend's disk that caused this error.
  It has been suggested to me to use "Tech Tools Pro" or "Disk Warrior" to repair the disk. Hopefully that might repair the disk. Unfortunately these programs are too expensive for this purpose because they would cost more than the computer actually costs (its an old imac G3 computer). I found a service that would run Disk Warrior on the disk to repair it for a $50 fee. Still, that is also not worth it as the computer may not even be worth $50.
  Here are some specifications:
  80 GIG drive specs: SEAGATE BARRACUDA 7200.7 80GB hard drive
  computer: imac G3 (slot loading version)
  OS: Mac OS9
  Thank you for any suggestions especially as to whether I should attempt to return the hard drive or look for a refund for this hard drive or attempt to reformat the drive and try again (backing up the data first).
  I also question the source of all the data on my friends computer. If he had the original operating system disks (which he said didn't come with his computer when he purchased it second-hand), I could have easily re-installed the OS and the applications. But he doesn't have any disks. That serves me right for having to deal with trying to help out someone who has software from a questionable source. I'm never doing that again. I guess that makes me guilty too as an accomplice. I don't feel very good about this
  I didn't know for sure - but I guess I should have assumed his software was illegal if he didn't have the disks - I was afraid to ask. I'm never putting myself in this possibly illegal situation again. Never again will I try to help someone out who doesn't clearly have the legal disks. Please forgive me and everyone else who reads this post. I feel shameful about this but somehow I must get myself out of this problem. I've learned a good lesson. Should I attempt to fix his computer? Or should I tell him to first buy a legal OS and software before I can help him out? You see I feel further guilt because I was the one who gave him the 80 GIG problematic hard drive that failed and I feel I should have to fix it. Can anyone offer me a bit of advice? What do I do?
  What's the right thing to do?

  Thank you Jim and Apple2Freak,
  I appreciate your comments. I am now suggesting to my friend to buy a legal OS and if that is the case I am suggesting to him to move to OSX instead of OS9. Luckily he let me know there wasn't much data on that drive that he needed to save. I am still trying to determine if I could still use this hard drive with the keylength errors if I erase it or if the hard drive has permanent damage. I am hoping that I could install OSX on it and erase the hard drive to start again.
  This imac (slot loading version) can support up to OS 10.3.9 however I might consider Xpostfacto to try to run 10.4. But then I would need to buy 10.3.9 as well as 10.4 and that would double my OS cost. I think I might just look for OS 10.3.9 only. Its not worth it for me to buy two OSes for it.
  Jim, your post was very interesting because it also pointed out that it could be an issue of bad RAM. A few months ago we installed some new second-hand RAM and I wonder if that is the cause of all these problems. I will have to check that first.
  Thanks again!

• WLC: which software-version support SHA2 certificates for Web Authentification and Web Management ?

  Hello,
  I tried to install new SHA2 3th-Party certificates on our WLCs. There are old WiSM1-Boards and 2504 to support our old 1230 Access Points, running 7.0.251.2, which didn't install it, although the config manual for 7.6 and 8.0 say that SHA2 certificates are supported since 7.0.250.0. When I tried to install the SHA2-certificates I get the message "File transfer failed" an the log says:
  *TransferTask: Dec 12 13:22:14.394: #UPDATE-3-CERT_INST_FAIL: updcode.c:1869 Failed to install Webauth certificate. rc = 1
  *TransferTask: Dec 12 13:22:14.394: #SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4085 Cannot PEM decode private key
  I tried to install the same certificates on our WiSM2-Boards, running 7.4.121.0 and I failed too. The same certificates could be installed on a 2504 running 8.0.100 without any problems.
  In all 3 cases I tried to install unchained certificates for web management and Level 3 chained certificates  for web authentication. I used the following guides to get the certificates (e.g. taken from the config manual 8.0.100):
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.pdf
  Which software versions support SHA2 certificates and which didn't ? Is the a list for it ?
  Regards

  Hello,
  I solved the problem. First I used a Debian Linux system with Openssl 1.0.1. After I searched the internet using one of the log messages above I found sites which mentioned to use Openssl 0.9.x. So I tried a productive and security fixes Debian Linux System running Openssl 0.9.8 and I succeeded. The wlcs accepted the certificate files and used it after a reboot. The Web GUI still shows a SHA1 Fingerprint, but the certificate signature Algorithm is SHA2:
  Signature Algorithm: sha256WithRSAEncryption
  When you check the openssl.org homepage Openssl 0.9.8 is still one of the actual version of openssl and is still available and fixed. But the Openssl Roadmap says:
  "We don't want to have to maintain too many branches. This is likely to include a timescale for the EOL of version 0.9.8"
  I don't know the differences between certificates made with openssl 0.9.8 and 1.0.1. Is there anybody who can explain it to me ?
  Regards

• Invalid key length - options

  A couple months ago I had issues installing Lion on my MBP. Upon installing, I was not able to mount the hard drive because of multiple errors. Disk repair eventually worked, I used my Time Machine backup to restore, and got Lion installed. After the installation, I went to make another TM backup and my external hard drive was corrupted to the point where I had to wipe everything on it - not sure what happened with it. Because I had so much trouble getting Lion installed, I didn't mess with creating a new TM backup and wanted to wait until I wasn't so busy at work to attempt it. I did however create a bootable Lion USB drive for emergencies.
  Long story short, the MBP froze the other day and would not boot properly. Clearing the PRAM/VRAM did not help, and when I try disk utility with the bootable USB drive, it is able to verify the drive itself, but unable to mount the startup volume. When I try to verify that volume, it stops and says to repair it. When I try to repair it, it stops and tells me the volume cannot be repaired and I need to back up my files.
  However, when I go into single user mode (running fsck gives me an invalid key length error), I can see the file structure of the drive, and all of my files in read only mode. My questions is, are those files recoverable? If so, how?
  Many thanks for an thoughts

  You have a failing internal hard drive, or some other hardware fault in the mass-storage subsystem. You must replace the drive, or otherwise determine the cause of the fault, immediately. But first you need to back up your data, if it's still possible.
  There are several ways to back up a Mac that is unable to fully boot. You need an external hard drive to hold the backup data.
  1. Boot from your recovery partition (10.7 or later), a local Time Machine backup volume (10.7.2 or later), or your installation disc (10.6.8 or earlier.) Launch Disk Utility and follow the instructions in the support article linked below, under “Instructions for backing up to an external hard disk via Disk Utility.”
  How to back up and restore your files
  2. If you have a working Mac, and both it and the non-working Mac have FireWire ports, boot the non-working Mac in target disk mode by holding down the key combination command-T at the startup chime. Connect the two Macs with a FireWire cable. The internal drive of the machine running in target mode will mount as an external drive on the other machine. Copy the data to another drive.
  How to use and troubleshoot FireWire target disk mode
  3. If the internal drive of the non-working Mac is user-replaceable, remove it and mount it in an external enclosure or drive dock. Use another Mac to copy the data.

• Invalid Key Length  Volume check failure

  I have a G4 with 768 Mb of Ram and originally ran as a dual boot system with OS9.2.2 and OSX 10.2. I attempted to upgrade to Tiger. The install kicked out twice. I then re-formatted the hard drive and installed again. I have tried running Disk First Aid, re-booting on Tiger CD, and it gives me an error message.
  Invalid Key Length
  Volume Check Failed
  ERROR: The underlying task reported failure on exit.
  1 HFS volume checked
  1 volume could not be repaired because of an error.
  HELP!!!
  Tried booting on a Norton Utilities disk but it repeatedly also locked on an error.
  Erased disk and attempted again, still no good.
  Finally went back to OS10.2.8 and am up but with still the same error if I run Disk First Aid.

  Welcome to Apple Discussions!
  Norton Utilities is not compatible with Mac OS X 10.2, and will actually cause these Invalid Keylength issues. They stopped supporting Mac OS X nearly two years ago, and even when they did it was Russian Roulette using their software.
  Remove it.
  The first utility software you should always use is a backup utility. Other utilities can supplement backups but should never be used instead of having a backup:
  http://www.macmaps.com/backup.html
  If erasing your hard drive and not installing any third party software upgrading back to 10.2.8 and not having any third party devices connected yielded an invalid keylength, either your 10.2 installation disk is damaged, or is the wrong 10.2 installation disk to use, or the hard drive or its connectors are bad. Try to determine which it is by process of elimination.
  Disclaimer: Reference to links I make to my Macmaps.com website are a for your information only type reference. I do not get any profit from this page, and it is open to the public.

• Detecting key length restrictions

  Is there an easy way to determine programatically if a user has the basic JDK 1.4 JCE implementation or has installed the unlimited strength version? Basically, I want to present a user with a means of setting the key length, but I need to know what the max is.

  Let me be a little more specific. I'm presenting the user with a GUI widget (JSlider, JTextField, whatever) that will allow them to enter the desired keysize. After they enter the keysize, they hit an 'Encrypt" button and the program goes off and does something like the following:
       int keysize = keySizeWidget.getValue()
       KeyGenerator kg = KeyGenerator.getInstance("Blowfish");
       kg.init(keysize );
       SecretKey sk = kg.generateKey();
       Cipher c = Cipher.getInstance("Blowfish");
       c.init(Cipher.ENCRYPT_MODE,sk);
  Now, if the user selects a keysize of 448, but only has the default JRE 1.4 policy files (i.e. they haven't downloaded the unlimited versions), then I get a SecurityException at the call to c.init() reporting an unsupported keysize. However, a long time passes before the exception is thrown, and the user has no feedback when they provide the keysize that the value will be rejected later when they hit the encrypt button.
  Is there any means of finding out ahead of time what keysizes a given Cipher object will accept? It would be nice to setup the interface so that they can only select valid keysizes (i.e set the maximum value of a JSlider to 128 if they don't have the unlimited encription support).
  Any help would be appreciated.

• Dynamic Configuration key length

  I am using dynamic configuration to set certain JMS properties but it appears that the maximum key length is 20 characters.
  Has anyone experienced this problem.  Is this a bug?
  Thanks
  Here is my code
  DynamicConfiguration conf = (DynamicConfiguration) container.getTransformationParameters().get(StreamTransformationConstants.DYNAMIC_CONFIGURATION);
  DynamicConfigurationKey key1 = DynamicConfigurationKey.create("http://sap.com/xi/XI/System/JMS", "com_inforecord_messageProcessor");
  conf.put(key1, "SoapMessage");

  Yes, is possible.
  Take a look here:
  http://wiki.sdn.sap.com/wiki/pages/viewpage.action?pageId=95093307
  http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00a7ba12-e7cd-2b10-d589-e52b11346f77

• How to refer the unlimited key length JCE jar files.

  Hi All,
  The JDK 1.4.2_10 contains the local_policy.jar and US_export_policy.jar that do not permit an unlimited Key length( 64 bit).
  - So I downloaded the unlimited ( Java(TM) Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2
  ) https://jsecom15d.sun.com/ECom/EComActionServlet;jsessionid=0F59ACFF95A61F6C0E78B5CE8E0FA93B.
  -Now I want JDK to refer these files without changing anything in existing JDK ( Means I don't want to replcae the existing local_policy.jar , US_export_policy.jar ).
  - Is there any option or property which can tell the JDK to refer the other
  files instead of this location :- C:\bea\WLS8.1SP04\jdk142_05\jre\lib\security.
  Means I want to override these 2 existing files local_policy.jar , US_export_policy.jar without replcaing them.
  Any pointers will be highly appreciated.

  A year later, this is still an issue. No replies ( btw, this is my new login name for the forums ).
  Thank You.

• How to obtain the Management Certificate Key for using Azure with Release Managment

  In the "Release Management" app in administration --> Manage Azure one must provide a "Management Certificate Key".
  I have created a self-signed cert and uploaded it to Azure Portal --> Settings --> Management certificates
  How do I get the key?
  Thanks ))

  Hi Atwater and Sons,
  when you look at the blog post paragraph four you find a link
  Download the settings file from the Azure portal to get your subscription ID and Management Certificate key.
  After you have downloaded the file, open the file with Notepad.
  You will find everything there - except the storage Account Name:
  <PublishData>
  <PublishProfile
  SchemaVersion="2.0"
  PublishMethod="AzureServiceManagementAPI">
  <Subscription
  ServiceManagementUrl="***"
  Id="***"
  Name="***"
  ManagementCertificate="***" />
  </PublishProfile>
  Copy the Id and the ManagementCertificate and past them into RM (Manage Azure)
  Your Storage Account Name: Blog Post Paragraph four
  Go here to get the name of an existing storage account or add
  a new storage account using the Azure portal.
  Regards,
  Daniel

• Error  connecting https when certificate key 2048

  Hello,
  I've got the following exception when I tried connecting an HTTPS web server AND when the certificate key > 2048 bits:
  javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLProtocolException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
  The exception occurs when trying to handshake the certificate:
  com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateMsg.<init>
  I tried using jdk 1.4.2_08 and 1.5.0.
  Is somebody can help me? Is there a specific work around or library to use?
  Thanks for your help
  C�dric Braem
  http://www.internetVista.com

  hi ,
  R/3 and EP are running in cross domains.
  ex- R/3 india.ac,in:port/irj/portal
        EP europe.ac.in:port/irj/portal
  There is no web dispatcher for the portal and also for backend, there are no additonal SSL in the network
  It is java webdynpro causing the issue when i am trying to access my backend system from portal from talent management.
  A new iwndows appears with pop-up and poempts fro user id & password.
  Thanks & regards,
  rahul

• Key length message - how to correct it?

  I added a couple of fields two an existing Z table (APPL0)
  and when I activate I am getting this warning message.
  Table ZMATLIST: Key length > 120 (Restricted functionality)
  Message no. DT214
  Diagnosis
  The key length, i.e. the sum of the field lengths of all the key fields of the table, is more than 120 bytes.
  System response
  This is a warning.
  Procedure
  Note the following restricted fuctionality for this table:
  - Table contents cannot be transported by specifying key values, at
    best by specifying generic key values with a maximum length of 120
    bytes.
  - The table may not be used as the base table of a lock object.
  (Couple of fields have check tables assigned to them already.)
  Since I want to transport contents of the table also, how to correct this message?
  Ven

  Check this thread..May be useful.
  Warning in SE11 - Defining tables.

• Key length 120 (Restricted functionality) Error

  Hi Experts,
  I created a ZTable with 4 Primary Key fields.The sum of all these fields is 175.When I am activating the table it is showing the following error.
  Key length > 120 (Restricted functionality)
  Message no. DT214
  The key length, i.e. the sum of the field lengths of all the key fields of the table, is more than 120 bytes.
  Is there any solution to solve this problem?
  Regds,
  Sam.

  Dear saju sam
  Please goto change table in SE11 and remove the check boxes for primary key in table so that number of primary keys are reduced.And then activate before transporting.
  Please put ratings if this helps .

• Sparseimage Fails Verification with Invalid Key Length error.

  I recently have been having some trouble with my computer. Every time I log out of my account, all of my preferences reset. This just now started happening. It was working fine, then all of a sudden it started to do this. This only happens on my account and doesnt with the root account. On looking up solutions, I discovered that I should verify my home directory image. I logged in as a different user (root) and used disk utility to verify it. However it failed saying "invalid key length" and "Error: The underlying task reported failure on exit". When I try to repair it, it gives me the same error. I backed up my system using superduper to an external drive a while back and verified the sparseimage file that I backed up. It failed with the same error.
  When I verify my harddrive it passes with no problem. Only my sparseimage file is corrupted. I would try diskwarrior but I cant afford it right now.
  Any help would be greatly appreciated. Thanks.
  Macbook   Mac OS X (10.4.9)   100gb hd; 1gb ram; Triple-Boot(OSX-Linux-Vista)

  Would that mean that I can't turn off filevault? Way I see it is that since the image file is corrupted, I would try to have filevault unencrypt it and see if it somehow fixes it. (Since there will be no longer a filevaut image to be corrupted). All of my data in the image file seems to be fine. Everything is still there and I can access everything.
  I was also thinking that I might be able to just copy everything in the image to my external, then deleting the account and create a new one, coping everything back over when im done.
  I know I probably sound like a noob, but im really not. Ive had a lot of experience with my computer, just not this sorta thing. Thanks for your help.