One of letsencrypt_plugin users has a problem with key size = 8192. I can reproduce this error with a private key generated in following way: openssl genrsa 8192 > key/keyfile.pem sever responds with an error: “Acme::Client::Error::Unauthorized: No registration exists matching provided key”. Is it correct behavior?
Hi, signing bigger keys is no performance issue. Because for signing you first calculate the SHA256 hash and
the sign it with the CA Private RSA key.
The heavier burden is when you use the large RSA key for key exchange/signing in tls as server.
I think it is the same as the limit to only two EC curves the *** argument that it is not widely supported.
Well, the modulus of a large RSA key is a vey big part of the certificate, right? And you can’t deny that calculating the SHA256 hash of a bigger piece of data costs more CPU power than a smaller piece of data, right?
But you’re right, that probably won’t be a very big performance penalty indeed. Your argument is more likely I’m afraid.
[offtopic] Did you know in elliptic curve ciphers, the verification part is relatively heavy performance-wise compared to signing? In the end EC ciphers are still a better choice compared to RSA, but for a client a RSA key is easy peasy while a large EC curve verification is relative heavy.