encryptKey length for ECDSA Management CA

[Alestor]

I'm in the process of deploying a fresh ejbca-ca installation and want to use ECDSA keys for the Management CA. The signKey is provisioned according to my configuration but the encryptKey will be generate with a key size of 2048.
I'm aware that the encryptKey has to be RSA - I'm looking for a way to get a key length of at least 4096.

If I configure ca.keytype=RSA and ca.keyspec=4096, signKey and encryptKey will have a length of 4096 bit.

Is there a way to get the encryptKey with a keysize of 4096 with this spec?

ca.tokentype=soft
ca.keytype=ECDSA
ca.keyspec=secp521r1
ca.signaturealgorithm=SHA384withECDSA

I've tried to pre-provision the crypto tokens with the ejbca.sh cli, but as soon as I run ant runinstall a new set of tokens will be generate for the CA.

[Alestor]

Found a solution here

[primetomas]

I don't recommend modifying the code as a solution. The Management CA should only be used for administrator access to the Admin UI. As such it should never be used to issue encryption certificates where key recovery is needed.
If you want to issue encryption certificates with key recovery, i.e. S/MIME for example. You should always create a separate CA for that and not use the default installed Management CA.
If you use the Management CA for just TLS authentication purposes the encryptKey will never be used and you can completely ignore this.
You may also, after initial installation, create a new "Admin Management CA" and delete the one created with "ant runinstall".
Or you can make the installation with an external Management CA, if you have another CA issuing electronic IDs to your administrators so you don't create a default Management CA at all.

[Alestor]

Thank you for clarification. For what it's worth, it was not my preferred way to dig through the code and modify it to get the desired configuration. In additional, it is very disappointing to figure out it was all for nothing. At least I've learned a bit more about the encryptionKey .