8.9. Changes to RSA and DSA Key Generation

Normal Red Hat Enterprise Linux 6 operation allows the generation of RSA and DSA keys of any size. Additional restrictions are applied if Red Hat Enterprise Linux 6 is run in FIPS mode.

As of Red Hat Enterprise Linux 6.6, the OPENSSL_ENFORCE_MODULUS_BITS environment variable determines key generation behavior in FIPS mode.

When FIPS mode is in use and the OPENSSL_ENFORCE_MODULUS_BITS environment variable is set, only 2048 bit or 3072 bit RSA and DSA keys can be generated.

If the OPENSSL_ENFORCE_MODULUS_BITS environment variable is not set, key generation behavior does not change from previous releases of Red Hat Enterprise Linux 6: the system can generate RSA keys greater than or equal to 1024 bits, and DSA keys of 1024 bits, 2048 bits, or 3072 bits.