PROBLEM SUMMARY
When enrolling a certificate without specifying a key size, vcert falls back to a hardcoded default of RSA 2048 instead of using the recommended default from the TPP policy or TLSPC Issuing Template. If 2048 is not in the allowed key sizes, the request fails. The defaults.keyPair.rsaKeySize value is correctly returned by the API (confirmed via getpolicy) but never consumed by vcert.
STEPS TO REPRODUCE
- Configure an Issuing Template (TLSPC) or TPP policy with a recommended key size of 3072
- Remove 2048 from the allowed key sizes
- Confirm defaults are returned correctly:
vcert getpolicy -p vcp -k <apikey> -z "app\template"
Returns:
"defaults": {
"keyPair": {
"keyType": "RSA",
"rsaKeySize": 3072
}
}
- Enroll without specifying a key size:
vcert enroll -p vcp -k <apikey> -z "app\template" --cn "test.example.com" --san-dns "test.example.com"
- Same test with a playbook containing only commonName and no keySize
EXPECTED RESULTS
vcert should use the recommended default key size (3072) from the policy/Issuing Template when no key size is specified by the user.
ACTUAL RESULTS
vcert defaults to RSA 2048 and the request is rejected.
TLSPC:
Error Code: 10731 Error: Key length is invalid
TPP:
Key algorithm error. Key algorithm violates policy settings.
Behavior is identical on both platforms, affecting both CLI and playbook.
ENVIRONMENT DETAILS
- vcert v5.12.3 (latest release), pre-built Linux x86_64 binary
- Ubuntu 24.04
- Tested against TLSPC (SaaS) and TPP (self-hosted, 24.x)
COMMENTS/WORKAROUNDS
Workaround: explicitly pass --key-size 3072 on the CLI or set keySize: 3072 in the playbook YAML.
UpdateCertificateRequest() in pkg/endpoint/endpoint.go checks AllowedKeyConfigurations for validation but does not consume defaults.keyPair.rsaKeySize when the user hasn't specified a key size. The logic to read the recommended default from the zone configuration and apply it appears to be missing.
Being able to drive key type and size from the policy would be valuable for automation, especially as organizations move toward stronger key sizes.
PROBLEM SUMMARY
When enrolling a certificate without specifying a key size, vcert falls back to a hardcoded default of RSA 2048 instead of using the recommended default from the TPP policy or TLSPC Issuing Template. If 2048 is not in the allowed key sizes, the request fails. The
defaults.keyPair.rsaKeySizevalue is correctly returned by the API (confirmed viagetpolicy) but never consumed by vcert.STEPS TO REPRODUCE
Returns:
EXPECTED RESULTS
vcert should use the recommended default key size (3072) from the policy/Issuing Template when no key size is specified by the user.
ACTUAL RESULTS
vcert defaults to RSA 2048 and the request is rejected.
TLSPC:
TPP:
Behavior is identical on both platforms, affecting both CLI and playbook.
ENVIRONMENT DETAILS
COMMENTS/WORKAROUNDS
Workaround: explicitly pass
--key-size 3072on the CLI or setkeySize: 3072in the playbook YAML.UpdateCertificateRequest()inpkg/endpoint/endpoint.gochecksAllowedKeyConfigurationsfor validation but does not consumedefaults.keyPair.rsaKeySizewhen the user hasn't specified a key size. The logic to read the recommended default from the zone configuration and apply it appears to be missing.Being able to drive key type and size from the policy would be valuable for automation, especially as organizations move toward stronger key sizes.