[Ach] macosx and certificates > 4096bit
Adi Kriegisch
adi at kriegisch.at
Fri Apr 11 14:04:01 CEST 2014
Hey!
Just a note to anyone who runs into this issue which is still not fixed
with recent versions (10.9.2) of MacOSX: OSX cannot handle certificates
>4096bit out of the box.
This was apparently changed in "Security Update 2006-007" or 10.4.9; before
that, OSX could handle any certificate.[1]
Pepi (thanx alot) pointed me at issuing this command to "make it work":
| sudo defaults write /Library/Preferences/com.apple.security RSAMaxKeySize -int 32768
which allows MacOSX to handle Certificates of sizes up to 32768 bits. But
in my case this was just the one part of the story. From digging up the
source[2] I found a second important parameter (for my certificate): The
public exponent size which is 64.
| sudo defaults write /Library/Preferences/com.apple.security RSAMaxPublicExponent -int 1024
(probably 128 would be enough?) finally 'fixed' the issue for me.
-- Adi
[1] https://discussions.apple.com/thread/2668985
[2] http://www.opensource.apple.com/source/libsecurity_apple_csp/libsecurity_apple_csp-36859/lib/RSA_DSA_keys.h
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140411/4d2b314a/attachment.sig>
More information about the Ach
mailing list