Open eCard

The check of the key sizes should not be done for all certificates provided by the server in the TLS certificates message, but only for the certificates between the server certificate and the certificate in the trust store. You should only check the certificate itself and the intermediate certificates, not the CA cert itself. For example the last certificate at eidpaos.elsteronline.de should not be checked, because your trust store should already contain one the second last certificate. The webservers are sending more certificates then needed because some older browsers are missing the new trusted certificates and the CAs always sign their new CA certificates with their old CA certificates.

A similar problem is in the AusweisApp 1 and it should be fixed in AusweisApp 2.