|Applies To||RSA Registration Manager|
RSA Certificate Manager
Cisco VPN 3000 concentrators
|Issue||Unable to sign certificate request with an exponent 3 RSA key|
When submitting a certificate request to RSA Certificate Manager or RSA Registration Manager, the following error shows:
"This certificate request has been refused because it contains a RSA key with public exponent 3. Please try to submit the request again or contact your administrator for assistance."
|Resolution||If an RSA key with exponent 3 is used it may be possible to forge a PKCS #1 v1.5 signature signed by that key. Implementations using SSL certificates may incorrectly verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature.|
To prevent this issue, RSA Certificate Manager and Registration Manager DOES NOT generate RSA Keys with an exponent 3. However, it is possible that a third party application generate a certificate request which have an exponent 3 RSA key. In that situation, RSA Certificate Manager does not allow signing of that certificate request.
Ask your product vendor to generate a certificate request which does not have an exponent 3 RSA key.
Reference solution RSA Certificate Manager or RSA Registration Manager the following error shows: "This certificate request has been refused because it contains a RSA key with public exponent 3..."
This issue was seen when a Cisco VPN 3000 concentrator generated a 1024 bits key certificate request. Changing the key size from 1024 to 2048 resolved the issue.
|Legacy Article ID||a33967|