Video Screencast Help

keys smaller than 1024 bits are not supported

Created: 24 Nov 2011 | 2 comments


I tried to import a cached S/MIME key. First I got the answer "There were errors importing the cached key into the system."

In Admin Log the following entries appeared:

- Cannot import cached key [CachedKey:36989ee5-ba0c-47f3-be98-2338208cf531]

- Not importing user "User Name <>" (KeyID: 0x217004B3) because keys smaller than 1024 bits are not supported

I analysed the key and noticed that the key size is only 512 bit.

Does anyone have an idea to import the key inspite of the minimum requirement? How can I disable the validation of the key size?

We are using PGP Universal version 3.1.2 Build (9). Update to the latest version is planned..



Comments 2 CommentsJump to latest comment

PGP_Ben's picture

There is no way that I know of to do so, I have even looked at the PGP Universal Server command line options via SSH. I don't see any such option. This appears to be by design, as this is a security requirement.

As a matter of fact, we generate 2048 bit keys for users on the PGP universal server by default. I would imagine if you regenerate those certificates to be larger that would allow you to import them. But I understand the implications of such a requirement.

I also found this snippet in our PGP Universal Server Administrators guide:

If you are going to regenerate your Organization Key, you should use a fairly high bit size, such as 2048. However, if you are going to be using X.509 certificates and S/MIME, be aware that many clients only support up to 1024 bits; thus you may want to use 1024 bits for maximum compatibility with S/MIME. All clients can be expected to support at least 4096 bits.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

CBtz's picture

Thank you Ben for your response.

Now I tried to import the corresponding key into PGP Desktop (10.1.1). I'm just wondering why it would be accepted by PGP Desktop and refused by Universal Server.

Unfortunately I do not have any influence to that key because it is of one of our clients. So I cannot recreate the key. I told our client about the circumstances and now I'm waiting for a response. However we often receive signatures or keys with only key size of 512 bits. So I urgently need a way to use these keys in spite of the strict security requirements of Universal Server.

In other cases I got some hints by Telephone Support of PGP. To solve a problem it was sometimes possible to disable or control a feature by inserting some XML data into the config. Maybe there is a similar way to disable the validation of the key size?