TLS/SSL certificate key size too small
Description
The server presents one or more TLS/SSL certificates that use cryptographic keys smaller than the recommended minimum size. Modern security standards require RSA keys to be at least 2,048 bits and ECDSA keys to be at least 256 bits. Smaller keys are vulnerable to brute-force attacks and factorization techniques that can compromise the certificate's security.
Note: This vulnerability may be present in the server's leaf certificate, an intermediate certificate, or a certificate authority certificate in the chain. Review the certificate serial number in the detailed findings to identify which specific certificate is affected.
Remediation
Replace all certificates using weak keys with new certificates that meet current cryptographic standards:
1. Generate new key pairs with appropriate key sizes:
- For RSA: Use a minimum of 2,048 bits (3,072 or 4,096 bits recommended for long-term security)
- For ECDSA: Use a minimum of 256 bits (P-256 curve or higher)
2. Request new certificates from your Certificate Authority (CA) using the newly generated keys
3. Install the new certificates on your server, ensuring the entire certificate chain uses adequate key sizes
4. Update intermediate certificates if they are the source of the weak keys
5. Test the configuration using SSL/TLS testing tools to verify all certificates in the chain meet security requirements
6. Revoke old certificates with weak keys to prevent their continued use
Consider migrating to ECDSA certificates, which provide equivalent security with smaller key sizes and better performance compared to RSA.