8.9. Changes to RSA and DSA Key Generation
Normal Red Hat Enterprise Linux 6 operation allows the generation of RSA and DSA keys of any size. Additional restrictions are applied if Red Hat Enterprise Linux 6 is run in FIPS mode.
As of Red Hat Enterprise Linux 6.6, the
OPENSSL_ENFORCE_MODULUS_BITS
environment variable determines key generation behavior in FIPS mode.
When FIPS mode is in use and the
OPENSSL_ENFORCE_MODULUS_BITS
environment variable is set, only 2048 bit or 3072 bit RSA and DSA keys can be generated.
If the
OPENSSL_ENFORCE_MODULUS_BITS
environment variable is not set, key generation behavior does not change from previous releases of Red Hat Enterprise Linux 6: the system can generate RSA keys greater than or equal to 1024 bits, and DSA keys of 1024 bits, 2048 bits, or 3072 bits.