You have purchased an SSL certificate for your website that encrypts with a key length of 8192 bit or more. You often hear from your website visitors that this certificate is not recognized correctly by the browser. As a rule, these are Mac OS users who access your site via Chrome/Chromium or Safari. In fact, it hits any browser that uses the native crypto stack of Mac OS X. It’s not a bug, so Apple can’t fix it. However, there is a very simple way out.
Where does the bug come from?
The bug stems from the 2006-007 Security Update. Since then browsers issue error messages when websites use certificates that encrypt with 8192 bit or larger key lengths. Certificates with 4096-bit keys or less do not cause any problems.
To fix the error
Under Mac OS Mountain Lion (10.8) or lower, overwrite the default size to the key size you need in the command line „/Library/Preferences/com.apple.crypto RSAMaxKeySize -int <size>“. If you are using Mac OS Mavericks (10.9) or higher, go to the command line „/Library/Preferences/com.apple.crypto RSAMaxKeySize -int <size>“ and set the size individually again. The only difference between the lines is that up to version 10.8 it is called „/com.apple.crypto“, higher versions are called „/com.apple.security“.
At opensource.apple.com you can have a closer look at this with the corresponding hints. With 8192 bit certificates it has to look like this:
sudo defaults write /Library/Preferences/com.apple.crypto RSAMaxKeySize -int 8192
sudo defaults write /Library/Preferences/com.apple.security RSAMaxKeySize -int 8192
If you want to be future-proof, you can also specify a longer key length so that you can save this process the next time you install your SSL certificates with a longer key length. Other functions do not affect you by setting the key length.
We would like to thank Mr. Keller for this valuable tip!