Technical Blog Post
Abstract
error "Illegal Key size" when trying to generate a Certificate Signing Request
Body
If the policy files associated with this jre being used are not allowing you to create a 2048 bit certificate, you will need to replace the policy files with the jre. Older jres disable larger key sizes by default.
The correct way to resolve this problem is to download and replace 2 policy jar files.
They are found in %JAVA_HOME%/jre/lib/security and are called:
local_policy.jar
US_export_policy.jar
You can download the policy jar files from here:
http://www.ibm.com/developerworks/java/jdk/security/index.html
Your policy files "local policy file" may contain restrictions that can be replaced manually but it is not the recommended approach because incorrect changes to the file can cause ssl to stop working.
As an example of how to enable other cryptos, the local_policy.jar file contains a file called default_local.policy. In that text file, specific crypto permissions are granted:
see example of the restrictions found in the file below:
// Some countries have import limits on crypto strength. This policy file is worldwide importable.
grant {
permission javax.crypto.CryptoPermission "DES", 64;
permission javax.crypto.CryptoPermission "DESede", *;
permission javax.crypto.CryptoPermission "RC2", 128,
"javax.crypto.spec.RC2ParameterSpec", 128;
permission javax.crypto.CryptoPermission "RC4", 128;
permission javax.crypto.CryptoPermission "RC5", 128,
"javax.crypto.spec.RC5ParameterSpec", *, 12, *;
permission javax.crypto.CryptoPermission "RSA", 2048;
permission javax.crypto.CryptoPermission *, 128;
};
You can replace the contents of this file with the contents shown below:
// Country-specific policy file for countries with no limits on crypto strength.
grant {
// There is no restriction to any algorithms.
permission javax.crypto.CryptoAllPermission;
};
UID
ibm11132593