#73 More reasonable default keysize for EC
Opened 3 years ago by rcritten. Modified 9 months ago

The default keysize in certmonger is 2048.

The EC code tries to figure out what curve to use based on the keysize.

So, if no keysize is provided on the CLI then the default is 2048 which effectively maps to secp521.

For keys > 1024 there should be a mapping between the RSA and EC equivalent keys sizes:

3072 -> 256
7680 -> 384
15360 -> 521

Metadata Update from @rcritten:
- Issue assigned to rcritten

3 years ago

Talked to Nalin about this a bit.

We agreed to add a new option to specify the curve.

I also asked about support for the 192 and 224-bit curves and he thought it had to do with the set of available curves available to both OpenSSL and NSS. I'll reinvestigate to see if anything has changed.

Login to comment on this ticket.