4.4 Entrust v10-specific behavior

Entrust v10 behaves in a different way to Entrust 8.x, and you may encounter the following issues.

4.4.1 The size of server-generated encryption keys can be increased by the CA

The default key length for server-generated user encryption keys is configured when you first configure and initialize Security Manager.

For example, if you set the size of the server keys to 3K and then later request a 2K key, you receive a 3K key. This affects different key types; for example, if at install you chose ECC-384, then request an RSA 2048-bit key, Entrust returns an RSA 3072-bit key as the equivalent 3K size.

To prevent this from happening, set the policy userEncryptionAlg back down to RSA-2048 and you will get the expected key size.

4.4.2 Entrust v10 reports external user configuration failures differently

For usage of Entrust with non-co-located users, you must set a noUserInDirectory value for each policy; see section 2.1.5, Issuing Certificates to users that do not exist in the directory.

If this is misconfigured, Entrust v8.x reports an unknown user error, which is easily interpreted.

However, Entrust v10 reports an error similar to the following:

-02989 LDAP protocol error