During certificate/CSR creation, one can change the number of bits used in the RSA and SHA algorithms to something higher than the default. One should also be able to change the algorithms to Elliptic Curve DSA and MD5 for hashing. The available values for RSA and SHA (as of 8.0) are:
RSA: 512 1024 2048 (default) 3072 4096
SHA: SHA1 SHA256 (default) SHA384 SHA512
However, in some cases an admin might not be seeing any options in the drop-down for either algorithm.
Diagnosis
The PHP debugs will show the following errors:
[2017/12/29 17:43:04] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateNbits from router.php [2017/12/29 17:43:04] user=1282626187103044 ========= RemoteCall: Certificate.completeCertificateNbits ========= [2017/12/29 17:43:05] user=1282626187103044 <request cmd="op" complete="operations/request/certificate/generate/algorithm/RSA/rsa-nbits" cookie="1282626187103044"/> [2017/12/29 17:43:05] user=1282626187103044 <response status="error"><msg><line>You need superuser privileges to do that</line></msg></response> [2017/12/29 17:43:05] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateNbits from router.php took 0.179s [2017/12/29 17:43:06] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateDigest from router.php [2017/12/29 17:43:06] user=1282626187103044 ========= RemoteCall: Certificate.completeCertificateDigest ========= [2017/12/29 17:43:06] user=1282626187103044 <request cmd="op" complete="operations/request/certificate/generate/digest" cookie="1282626187103044"> <algorithm>rsa</algorithm> </request> [2017/12/29 17:43:06] user=1282626187103044 <response status="error"><msg><line>You need superuser privileges to do that</line></msg></response> [2017/12/29 17:43:06] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateDigest from router.php took 0.167s
Resolution
Log in with any 'superuser' account and you should be able to change the bits and algorithms to any of the available options.