Skip to content

Commit 0052286

Browse files
jvanascojvanasco
authored
small docs change: minimum key size (letsencrypt#5158)
Implementation Details now mentions minimum RSA key size and links to the official LetsEncrypt announcement for supporting a limited set of key sizes.
1 parent cd3a06b commit 0052286

File tree

1 file changed

+16
-9
lines changed

1 file changed

+16
-9
lines changed

docs/acme-implementation_details.md

Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -12,10 +12,11 @@ ACME Servers, including the [Pebble](https://github.com/letsencrypt/pebble)
1212
test server.
1313

1414
The following items are a partial listing of RFC-conformant design decisions
15-
Boulder has made. This listing is not complete, and is based on known details
16-
which have caused issues for developers in the past. This listing may not
17-
reflect the current status of Boulder or the configuration of LetsEncrypt's
18-
production instance and is provided only as a reference for client developers.
15+
Boulder and/or LetsEncrypt have made. This listing is not complete, and is
16+
based on known details which have caused issues for developers in the past. This
17+
listing may not reflect the current status of Boulder or the configuration of
18+
LetsEncrypt's production instance and is provided only as a reference for client
19+
developers.
1920

2021
Please note: these design implementation decisions are fully conformant with the
2122
RFC specification and are not
@@ -58,12 +59,18 @@ extension, and will reject a CSR if a domain specified in the `commonName` is
5859
not present in the `subjectAltName`. Additionally, usage of the `commonName`
5960
was previously deprecated by the CA/B Forum and in earlier RFCs.
6061

61-
For more information on this see [Pebble Issue #304](https://github.com/letsencrypt/pebble/issues/304) and
62-
[Pebble Issue #233] https://github.com/letsencrypt/pebble/issues/233
63-
64-
65-
62+
For more information on this see [Pebble Issue #304](https://github.com/letsencrypt/pebble/issues/304)
63+
and [Pebble Issue #233](https://github.com/letsencrypt/pebble/issues/233).
6664

6765

66+
## RSA Key Size
6867

68+
The ACME specification is silent as to minimum key size.
69+
The [CA/Browser Forum](https://cabforum.org/) sets the key size requirements
70+
which LetsEncrypt adheres to.
6971

72+
Effective 2020-09-17, LetsEncrypt further requires all RSA keys for end-entity
73+
(leaf) certificates have a modulus of length 2048, 3072, or 4096. Other CAs may
74+
or may not have the same restricted set of supported RSA key sizes.
75+
For more information
76+
[read the Official Announcement](https://community.letsencrypt.org/t/issuing-for-common-rsa-key-sizes-only/133839).

0 commit comments

Comments
 (0)