Certificate size is too large?


#1

Thanks for keeping the service and reading my post.

I faced a memory size limit for a certificate.
I contacted a CS of the HTTPS server.
A CS wrote the certificate size is too large and you should remove certificate policy or extended key usage.
We cannot increase memory for a certificate because of the hardware spec.
In fact, I can install a certificate issued by LE on January (because of no embeded SCTs).
What do you think about this.

Certificate details is following:
Key : RSA 2048 bits (the server don’t support ECC key)
SAN : 1 domain (32 letters, Of course, CN is the same)
OCSP must staple : no

※ The server bought on April this year. (It is not pre-owned.)


#2

Hi,

Your certificate is “normal”, is short and apporate…

I don’t see any issue with this…

Thank you


#3

I don’t know whether the support person is technically correct, but Let’s Encrypt will not give users the option to change these features of the certificate. Therefore, if the support person is correct, you’ll need to change the server platform that you use, or use a different CA instead.

If the server has a community forum of some sort, you could try asking there for other opinions or experiences to determine whether the support person’s answer was right.

The idea that the certificate is too large is unusual (I’ve never heard of this limitation before with any HTTPS implementation!), but not absolutely impossible.


#4

Thank you for replying.

I sound the CS writing like right.
I have tested some certificates signed by private CAs. (I cannot create SCT embeded certs.)
Each of the certs which could not install had a little large data.
Certs including long subject and certificate policy cannot install.
Certs including simple subject and same certificate policy can install.
Certs including long subject and no certificate policy can install.
And so on.

If this limit is true, I know only DigiCert as an alternative because of embeded SCTs.
In fact, COMODO Free SSL cannot install, RapidSSL trial with no SCT can install.
And the DigiCert cert is not suitable because it has no SCT information. (The server does not support OCSP Staples and TLS Extension modifying.)


#5

Hi,

What server software and web server are you using?

Thank you


#6

In fact, I think default cert is the best choice for the control panel… because public opened is not recommanded.(and DNS name opened is risk.)

The target is TS5030 made by Canon.

In fact, for some security reasons, I gave up to connect it to network.


#7

Hi,

I have a Canon printer at home… And I spend three days trying to get a 2048 bits certificate (self-signed) on it… (And I failed)

I kind of believe that those Canon firmwares does not allow any certificate larger than 1024 bits… (Which is impossible to issue with a public CA)…

You may need to make a self signed certificate in this case…

Thank you


#8

Thank you for replying;

I succeeded to install RSA 4096 bits signed by private CA.(It had no extensions.)
I think not accepting 2048bit-certs is depending on model.

Anyway, I think default is better because of certificate generating PC’s risk.
I gave up to connect it to network because RSA key exchange on Wi-Fi with no IPsec is risk.