HPE Community
HPE OneView
1839919 Members
2417 Online
110157 Solutions
New Discussion

Appliance CSR with user specified number of bits

 
bradawk1
Trusted Contributor

a week ago - last edited a week ago by

a week ago - last edited a week ago by

Appliance CSR with user specified number of bits

Our internal CS is no longer accepting CSRs signed with anything less than 4096 bits.  I can't find any option for specifying the number of bits on the PUT /rest/certificates/https API reference.  Is this available?  If not, can it get added please?

Reply
5 REPLIES 5
Azr_geek
Frequent Advisor

a week ago

a week ago

Re: Appliance CSR with user specified number of bits

Hello @bradawk1,

If the PUT /rest/certificates/https endpoint doesn’t expose a parameter for specifying key length (e.g., keySize, key_bits, or similar), then the appliance likely generates CSRs using a default key size — commonly 2048 bits.

Many appliance REST APIs don’t let you override this in the API call itself; instead, the bit length may be set in a system-level or certificate management configuration.

If your internal CA now requires 4096-bit CSRs, and there’s no documented API parameter for this, then it’s not currently supported and would indeed need a feature request to the appliance vendor (to add a field like "key_size": 4096 to the request body).

Note: I am not an expert, but with the help of my subordinates, I have shared this information.

Regards,
Azr_geek

0 Kudos
Reply
DanCernese
HPE Pro

a week ago - last edited Wednesday

a week ago - last edited Wednesday

Re: Appliance CSR with user specified number of bits

I'm not experienced in this space, but you can ask for "at least 3072" (CNSA mode). 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
bradawk1
Trusted Contributor

a week ago

a week ago

Re: Appliance CSR with user specified number of bits

We just updated to 10.20 and I have a certificate expiring in either December or January.  So, I'll find out soon. 

0 Kudos
Reply
bradawk1
Trusted Contributor

Wednesday

Wednesday

Re: Appliance CSR with user specified number of bits

I ran a test CSR generate using the REST API.  It only created 2048 bit encrypted keys.  If you go in through the gui to generate the CSR, there is a checkbox "Generate CNSA-compatible signing request" which will get a 3072 bit cert.  This really should be a programmable option for the user to select the number of bits using in encryption.  Please take this as an enginering change request.

0 Kudos
Reply
DanCernese
HPE Pro

Wednesday

Wednesday

Re: Appliance CSR with user specified number of bits

I can file your request if you send me directly company info with a contact.  It would be fixed length however, based on common industry CAs.

  • Public CAs (like DigiCert, Let's Encrypt, Sectigo, etc.) typically use 4096-bit RSA or ECC P-256/P-384 for root certificates.
  • Intermediate CA certificates often use 2048-bit or 3072-bit RSA, or ECC P-256.
  • End-entity certificates (the ones issued to customers/websites) are usually RSA 2048-bit or ECC P-256.

The larger key size reduces HPE OneView's ability to respond robustly at scale as they consume significant compute resources on the appliance. 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.