7

After generating java keystore with: -keyalg RSA -keysize 2048 and configuring the java.security policy with:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, RSA keySize < 2048

I keep getting errors:

java.security.cert.CertPathValidatorException: Algorithm constraints check failed on key RSA with size of 1024bits

I’m using the following command to generate a 2048bit RSA key:

keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore star_domain_name.jks -storetype PKCS12 -dname "CN=*.domain_name.com,OU=Engineering, O=Company Name., L=City Name, ST=State, C=US" && keytool -certreq -alias server -file star_domain_name.com.csr -keystore star_domain_name_io.jks

I then verify the above with:

openssl s_client -showcerts -connect localhost:443

That shows:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2

I also view the keystore with:

keytool -list -v -keystore star_domain_name.com.jks

Which shows:

Certificate fingerprints: MD5: 67:4C:04:90:35:etc...etc... SHA1: AD:C8:06:74:3A:F1:72:etc...etc... SHA256: C5:D6:81:3B:C1:F7:CE:2D:43:91:06:E9:9etc...etc... Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key

Everywhere I look I see 2048-bit RSA key. However, when I want to use the java keystore in my java spring boot application, it keeps complaining:

  • Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on key RSA with size of 1024bits
  • Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints

As soon as I edit the java.security file, and remove RSA keySize < 2048 from it, and restart the application, everything works…

Is this because I did not import a signed domain cert? Why does the application complain although I clearly configured the policy and the java keystore for 2048 bits?

My java application configuration contains:

ssl.key-store: /opt/cert_path/star_domain_name.com.jks ssl.enabled: true ssl.key-store-password: the_password_etc... ssl.key-store-type: PKCS12 ssl.key-alias: tomcat

As soon as I edit the java.security file, and remove RSA keySize < 2048 from it, and restart the application, everything works…

Is this because I did not import a signed domain cert and the keystore is empty? I doubt it.

Why does the application complain although I clearly configured the policy file and the java keystore for 2048 bits?

The java.security file also contains:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024

Should that also be adjusted?

I've actually tried to adjust that, but that had no effect...

Improve this question
5
  • 1
    Hi & welcome to Stack Overflow! Interesting question! would you also share/tell us your java version? Commented Feb 11, 2019 at 21:08
  • and java.security.cert.CertPathValidatorException .... "try also" jdk.certpath.disabledAlgorithms (...additionally to jdk.tls... and jdk.jar...) Commented Feb 11, 2019 at 21:19
  • ..as i understand problem/question: the 2048 key fails., @user207421 . And confusing 1: "As soon as I edit the java.security file, and remove RSA keySize < 2048 from it, and restart the application, everything works…" ..and 2. confusing: "Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on key RSA with size of 1024bits" Commented Feb 11, 2019 at 22:51
  • you think, you have a 2048 key, @SUP3RS3T, but "confusing 1. + 2."(my previous comment) match the fact, that "spring boot uses another key with 1024b"! Commented Feb 11, 2019 at 22:53
  • Which version on JDK do you use? do you have JSSE? Commented Feb 15, 2019 at 14:17

3 Answers 3

Reset to default
12

I was stuck with that for a long time, and finally, I have found the solution.

So whenever I modified the file java.security, it would have no effect, because there is a second file java.config (on Linux it is located: /etc/crypto-policies/back-ends/java.config) that overrides the params in java.security.

This is controlled by the property (in java.security):

security.useSystemPropertiesFile=true

So, either change that property to false, or modify params directly in java.config.

This has worked for me!

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you!!!! after 12 hours of frustrating...
Glad to help you! I had also that kind of frustration 😄.
3

Just wanted to add to this. After enabling cert debugging via adding

-Djava.security.debug=certpath

So, as an example:

java -Xms64m -Xmx512m -Djava.security.debug=certpath -Dspring.config.location=config.file -jar appname.jar &>> logfile.log &

I'm finally able to see why is Java complaining. Apparently encrypted AWS RDS Instances use SSL cert that's 1024 bit. When my java applications call it, they fail because their policy is set to only accept RSA < 2048 keySize.

I contacted AWS for further guidance.

If anyone is struggling to troubleshoot Java cert issues, make use of:

-Djava.security.debug=certpath

It's extremely helpful.

Thank you.

Improve this answer

Comments

3

I've successfully handled those errors about RSA key sizes by changing the Java configuration to allow the key size used by the destination server I was trying to communicate. It's pretty much what was covered by the other answers here, but this way you'll be sure all bases are covered.

  1. Find all java.config and java.security files on your OS file system:

find / -iname java.config

find / -iname java.security

  1. Verify which crypto policy your system is currently applying (it could be DEFAULT, LEGACY or FUTURE):

update-crypto-policies --show

  1. Access (vi/nano) the java.config file related to your current policy and also the java.security, and find configurations regarding RSA key size (RSA keySize < X or RSA keySize >= Y). On each one, change the operator and value that follows to suit your needs, and then save the file. For example, if your error message complains about a RSA 1024 bit key, you should have the following, which means you're not allowing keys lesser than 1024 bits, so 1024 or above will be fine:

RSA keySize < 1024

  1. Restart your service.

That's it. The guide above assumes you're using Linux, but if you're not, you can adjust the commands to your OS.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.