Configuration Checker warns that 'CertificateProfile' allows ECC but 'keyEncipherment' is enabled, despite 'Forbid encryption usage for ECC keys' enabled

[uedvt359]

Hi, we have a question regarding the Configuration Checker. It shows the warning, that keyEncipherment' is enabled for an RSA+ECC profile. We thought that checking the Forbid encryption usage for ECC keys box would fix the issue, but the warning remains. Are we misunderstanding what this checkbox does?

Version : EJBCA 8.2.0.1 Community

[svenska-primekey]

If there is any type of encryption happening I would recommend 2 different cert profiles and not to mix RSA with EC.

[uedvt359]

we are looking at this doc:

Forbid encryption usage for ECC keys: This flag enables selecting both RSA and ECSDA key algorithms in the Certificate Profile. When selected Data Encipherment and Key Encipherment key usages will be disabled for ECDSA during certificate creation.

we thought that this means that we can use one certProfile for both.

[primetomas]

The configuration checker is deprecated and will be removed. I think it's simply that the configuration checker does not understant the flag "Forbid encryption usage..."

[uedvt359]

Thanks, that answers our question!