Issuing for common RSA key sizes only

Effective 2020-09-17, we’re requiring that all RSA keys for end-entity (leaf) certificates have a modulus of length 2048, 3072, or 4096. These are by far our most popular key sizes, representing 99.9996% of our issued certificates. In the last 90 days we’ve issued only 571 certificates that had RSA key sizes other than those. Unless you have specifically configured your ACME client for an unusual key size, you don’t need to take any action.

The reason for the change may be a bit surprising: In 2008, there was a bug in Debian distributions of OpenSSL that led to predictable generation of private keys. The Debian project fixed the bug, and generated a block list of public keys that correspond to private keys generated with the buggy code. CAs have long been required by the Baseline Requirements to block weak keys, including the Debian Weak Keys.

In March 2020, a bug report was filed about a just-issued certificate using one of the keys on Debian’s block list. That was due to an implementation bug by the affected CA, but it sparked a conversation on the mozilla.dev.security.policy mailing list about what exactly the BRs require. Part of that conversation revolved around the question of whether the Debian project’s block list is adequate to meet the BR requirement to block weak keys. The block list was only generated for keys of size 512, 1024, 2048 and 4096. If someone requests a certificate with a key of size 4048, it’s possible that it was generated by the weak Debian version of OpenSSL. Even though it’s unlikely, we have no way of knowing, without generating block lists for every possible key size. That would be pretty expensive.

We’ve looked at our popular key sizes, and 2048, 3072, and 4096 are by far the most popular. We’re continuing to use the Debian block list for 2048 and 4096. For 3072 we are using an additional block list generated by Rob Stradling of Sectigo. For other key sizes we will reject issuance to make sure we’re in compliance with the BR requirements. We’ll be emailing the subscribers who issued those 571 certificates with uncommon key sizes to ensure they’re aware of the change.

9 Likes