000025530 - Unable to sign certificate request with an exponent 3 RSA key

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000025530
Applies ToRSA Registration Manager
RSA Certificate Manager
Cisco VPN 3000 concentrators
IssueUnable to sign certificate request with an exponent 3 RSA key
When submitting a certificate request to RSA Certificate Manager or RSA Registration Manager, the following error shows:

"This certificate request has been refused because it contains a RSA key with public exponent 3. Please try to submit the request again or contact your administrator for assistance."
ResolutionIf an RSA key with exponent 3 is used it may be possible to forge a PKCS #1 v1.5 signature signed by that key.  Implementations using SSL certificates may incorrectly verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature.

To prevent this issue, RSA Certificate Manager and Registration Manager DOES NOT generate RSA Keys with an exponent 3.  However, it is possible that a third party application generate a certificate request which have an exponent 3 RSA key. In that situation, RSA Certificate Manager does not allow signing of that certificate request.

Ask your product vendor to generate a certificate request which does not have an exponent 3 RSA key.

Reference solution RSA Certificate Manager or RSA Registration Manager  the following error shows:  "This certificate request has been refused because it contains a RSA key with public exponent 3..."

This issue was seen when a Cisco VPN 3000 concentrator generated a 1024 bits key certificate request.  Changing the key size from 1024 to 2048 resolved the issue.
Legacy Article IDa33967

Attachments

    Outcomes