TSS0472E INVALID PRIVATE KEY SIZE when TSS GENCERTing certificates with a KEYSIZE of 2048

Document ID : KB000016110
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

TSS GENCERTing a certificate with a KEYSIZE of 2048 but getting error message:

TSS0472E INVALID PRIVATE KEY SIZE

Question:

I am trying to generate a temp certificate with keysize 2048/RSA and a Subject Alternative Name of DOMAIN=WEBSVCX , but I get an error telling me that I specified an in invalid keysize? note: This certificate will later be used as input to a GENREQ.

(error message)
TSS GENCERT(CERTSITE) DIGICERT(WEBSVCX) SUBJECTN('O="FMBWEBS" CN="WEBSVCX" OU="SYSTEMS" C="US"') LABLCERT('WEBSVCX') KEYUSAGE
(HANDSHAKE) KEYSIZE(2048) ALTNAME(DOMAIN=WEBSVCX)
TSS0472E INVALID PRIVATE KEY SIZE
TSS0301I GENCERT FUNCTION FAILED, RETURN CODE = 4

Answer:

Set CA Top Secret Control Option MAXKEYSIZE to 2048 and please make sure RO84901 is applied.