Respect configured RSA key size when creating app certificates (#3513)

mrsuciu · web-flow · commit 0cb20d6c74f7 · 2026-02-02T10:11:09.000+02:00
diff --git a/Libraries/Opc.Ua.Configuration/ApplicationInstance.cs b/Libraries/Opc.Ua.Configuration/ApplicationInstance.cs
@@ -462,12 +462,13 @@ await id.LoadPrivateKeyExAsync(passwordProvider, configuration.ApplicationUri, m
             {
                 if (!DisableCertificateAutoCreation)
                 {
-                    certificate = await CreateApplicationInstanceCertificateAsync(
-                            configuration,
-                            id,
-                            lifeTimeInMonths,
-                            ct)
-                        .ConfigureAwait(false);
+                certificate = await CreateApplicationInstanceCertificateAsync(
+                        configuration,
+                        id,
+                        minimumKeySize,
+                        lifeTimeInMonths,
+                        ct)
+                    .ConfigureAwait(false);
                 }
                 else
                 {
@@ -831,13 +832,15 @@ private async Task<bool> CheckDomainsInCertificateAsync(
         /// </summary>
         /// <param name="configuration">The configuration.</param>
         /// <param name="id">The certificate identifier.</param>
+        /// <param name="minimumKeySize">Minimum RSA key size to use when creating the certificate.</param>
         /// <param name="lifeTimeInMonths">The lifetime in months.</param>
         /// <param name="ct">Cancellation token to cancel operation with</param>
         /// <returns>The new certificate</returns>
         /// <exception cref="ServiceResultException"></exception>
         private async Task<X509Certificate2> CreateApplicationInstanceCertificateAsync(
             ApplicationConfiguration configuration,
             CertificateIdentifier id,
+            ushort minimumKeySize,
             ushort lifeTimeInMonths,
             CancellationToken ct)
         {
@@ -874,10 +877,16 @@ await DeleteApplicationInstanceCertificateAsync(configuration, id, ct).Configure
                 id.CertificateType == ObjectTypeIds.RsaMinApplicationCertificateType ||
                 id.CertificateType == ObjectTypeIds.RsaSha256ApplicationCertificateType)
             {
-                id.Certificate = builder.SetRSAKeySize(CertificateFactory.DefaultKeySize)
-                    .CreateForRSA();
+                ushort keySize = minimumKeySize == 0
+                    ? CertificateFactory.DefaultKeySize
+                    : minimumKeySize;
+
+                id.Certificate = builder.SetRSAKeySize(keySize).CreateForRSA();
 
-                m_logger.LogInformation("Certificate {Certificate} created for RSA.", id.Certificate.AsLogSafeString());
+                m_logger.LogInformation(
+                    "Certificate {Certificate} created for RSA with key size {KeySize} bits.",
+                    id.Certificate.AsLogSafeString(),
+                    keySize);
             }
             else
             {
diff --git a/Tests/Opc.Ua.Configuration.Tests/ApplicationInstanceTests.cs b/Tests/Opc.Ua.Configuration.Tests/ApplicationInstanceTests.cs
@@ -142,6 +142,48 @@ public async Task TestNoFileConfigAsClientAsync()
             Assert.True(certOK);
         }
 
+        [Test]
+        public async Task TestNoFileConfigRespectsMinimumKeySizeOnCreationAsync()
+        {
+            ITelemetryContext telemetry = NUnitTelemetryContext.Create();
+
+            var applicationInstance = new ApplicationInstance(telemetry) { ApplicationName = ApplicationName };
+            Assert.NotNull(applicationInstance);
+
+            CertificateIdentifierCollection applicationCerts =
+                ApplicationConfigurationBuilder.CreateDefaultApplicationCertificates(
+                    SubjectName,
+                    CertificateStoreType.Directory,
+                    m_pkiRoot);
+
+            const ushort minimumKeySize = 4096;
+
+            ApplicationConfiguration config = await applicationInstance
+                .Build(ApplicationUri, ProductUri)
+                .AsClient()
+                .AddSecurityConfiguration(applicationCerts, m_pkiRoot)
+                .SetMinimumCertificateKeySize(minimumKeySize)
+                .CreateAsync()
+                .ConfigureAwait(false);
+            Assert.NotNull(config);
+
+            bool certOK = await applicationInstance
+                .CheckApplicationInstanceCertificatesAsync(true)
+                .ConfigureAwait(false);
+            Assert.True(certOK);
+
+            CertificateIdentifier certId = config.SecurityConfiguration.ApplicationCertificates[0];
+            X509Certificate2 certificate = await certId
+                .FindAsync(
+                    true,
+                    config.ApplicationUri,
+                    telemetry)
+                .ConfigureAwait(false);
+
+            Assert.NotNull(certificate);
+            Assert.AreEqual(minimumKeySize, X509Utils.GetPublicKeySize(certificate));
+        }
+
         [Test]
         public async Task TestBadApplicationInstanceAsync()
         {
