Azure · arsing · Aug 17, 2022
diff --git a/cert/aziot-certd/src/lib.rs b/cert/aziot-certd/src/lib.rs
@@ -521,7 +521,7 @@ async fn create_cert_inner<'a>(
                                 .key_client
                                 .create_key_pair_if_not_exists(
                                     &x509.identity.pk,
-                                    Some("ec-p256:rsa-4096:*"),
+                                    Some("ec-p256:rsa-2048:*"),
                                 )
                                 .await?;
                             let cstr = CString::new(handle.0)?;

diff --git a/cert/aziot-certd/src/renewal.rs b/cert/aziot-certd/src/renewal.rs
@@ -193,7 +193,7 @@ impl cert_renewal::CertInterface for EstIdRenewal {
 
             let key_handle = self
                 .key_client
-                .create_key_pair_if_not_exists(&key_id, Some("ec-p256:rsa-4096:*"))
+                .create_key_pair_if_not_exists(&key_id, Some("ec-p256:rsa-2048:*"))
                 .await
                 .map_err(|_| cert_renewal::Error::retryable_error("failed to generate temp key"))?;
 

diff --git a/identity/aziot-identityd/src/identity.rs b/identity/aziot-identityd/src/identity.rs
@@ -856,7 +856,7 @@ impl IdentityManager {
 
                 let key_handle = self
                     .key_client
-                    .create_key_pair_if_not_exists(identity_pk, Some("rsa-2048:*"))
+                    .create_key_pair_if_not_exists(identity_pk, Some("ec-p256:rsa-2048:*"))
                     .await
                     .map_err(|err| Error::Internal(InternalError::CreateCertificate(err.into())))?;
 

diff --git a/identity/aziot-identityd/src/renewal.rs b/identity/aziot-identityd/src/renewal.rs
@@ -55,7 +55,7 @@ impl IdentityCertRenewal {
             }
 
             let key_handle = key_client
-                .create_key_pair_if_not_exists(key_id, Some("rsa-2048:*"))
+                .create_key_pair_if_not_exists(key_id, Some("ec-p256:rsa-2048:*"))
                 .await
                 .map_err(|err| {
                     crate::Error::Internal(crate::InternalError::CreateCertificate(
@@ -163,7 +163,7 @@ impl cert_renewal::CertInterface for IdentityCertRenewal {
 
             let key_handle = self
                 .key_client
-                .create_key_pair_if_not_exists(&key_id, Some("rsa-2048:*"))
+                .create_key_pair_if_not_exists(&key_id, Some("ec-p256:rsa-2048:*"))
                 .await
                 .map_err(|_| cert_renewal::Error::retryable_error("failed to generate temp key"))?;