Certificate Authority refuses to generate a certificate for 1024-bits private key


Certificate Authority refuses to generate or renew a certificate because 1024-bits private keys are no longer supported. 2048-bits long Certificate Signing Request (CSR) is required both for new and renewing SSL certificate.


Since autumn of 2009, 1024-bits private keys are no more considered as secure and Certificate Authorities refuse to sign such CSR's. Starting from version 2.1.1, VisualSVN Server generates 2048-bits long private keys.

However, upgrading to newer version doesn't affect the existing private key. If you have been using VisualSVN Server since a version previous to 2.1.1, you are requested to regenerate the private key manually.


To generate the new 2048-bits private key for VisualSVN Server:

  1. Make sure that you have installed VisualSVN Server 2.1.1 or later.
  2. Start the command prompt (with elevated administrative permissions, if applicable).
  3. Delete the server.pem file with the following command line:
    del "%VISUALSVN_SERVER%\certs\server.pem"
  4. Restart the VisualSVN Server installer and choose to "Repair" the installation. Alternatively, you can repair the VisualSVN Server installation using the "Uninstall or change a program" control panel.
  5. The new 2048-bits private key alongside with an appropriate self-signed certificate will be generated during the repair. Other VisualSVN Server settings will not be affected.

Then you will be able to generate a 2048-bits long CSR and sign it with your Certificate Authority. For further details about SSL ceritficates support in VisualSVN Server please consider the KB34 article.

Your current private key and SSL certificate will be deleted pemanently. Since the private key of your VisualSVN Server will be changed, you will be requested to obtain a new SSL certificate. So if you're working with production server, don't forget to backup the server.pem file.
Last Modified: