|Applies To||RSA Certificate Manager 6.7|
|Issue||Approving PKCS#10 requests with RSA key modulus set to a negative value|
RSA Certificate Manager accepts PKCS#10 requests where RSA key modulus is set to a negative value, with no warning to end-user submitting the request or to vettor/administrator approving the request. A certificate can be issued from RSA Certificate Manager for such a PKCS#10 request.
Some applications do not accept certificates containing RSA keys with negative modulus
RFC 3447 PKCS #1: RSA Cryptography Specifications describe the RSA public key modulus and exponent components as positive integers.
RSAKeyimplementation in Java does not allow negative modulus:
Sun Developer Network site shows that JDK 5 may have been updated to allow negative modulus in existing certificates:
|Resolution||RSA Certificate Manager 6.7 build 423, or later builds, show the following warning to end-users submitting PKCS#10 requests with RSA key modulus set to a negative value: "This certificate request has been refused because it contains a RSA key with negative modulus."|
Such PKCS#10 requests are automatically sent to the Refused queue. A vettor or administrator can issue certificates for such requests in the Refused queue. If certificates are issued, they are marked as having a negative modulus. RSA Secure Logging Server logs issuance of certificates where RSA key has negative modulus.
|Notes||A negative modulus in the above context can be better described as a modulus value (which is always assumed to be a positive integer) not padded with leading 0's when its most significant bit (left-most bit) is 1.|
|Legacy Article ID||a43707|