Maven RHEL Algorithm constraints check failed on keysize limits: RSA 2048 bit key used with certificate error

I recently wanted to build a small Spring Boot utility and created a project using Spring Initializer. It worked all fine until I tried to use ./mvnw spring-boot:run, where the application failed with a quite confusing error (manually wrapped here):

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.22.2:test (default-test) on project spring-boot-config-resolver: 
    Execution default-test of goal org.apache.maven.plugins:maven-surefire-plugin:2.22.2:test failed:
    Plugin org.apache.maven.plugins:maven-surefire-plugin:2.22.2 or one of its dependencies could not be resolved:
    Failed to collect dependencies at org.apache.maven.plugins:maven-surefire-plugin:jar:2.22.2 -> org.apache.maven.surefire:maven-surefire-common:jar:2.22.2:
    Failed to read artifact descriptor for org.apache.maven.surefire:maven-surefire-common:jar:2.22.2:
    Could not transfer artifact org.apache.maven.surefire:maven-surefire-common:pom:2.22.2 from/to central (
    transfer failed for
    PKIX path validation failed:
    Algorithm constraints check failed on keysize limits: RSA 2048 bit key used with certificate: CN=GlobalSign Atlas R3 DV TLS CA H2 2021, O=GlobalSign nv-sa, C=BE -> [Help 1]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1]

The strange part here is the Algorithm constraints check failed on keysize limits: RSA 2048 bit key used with certificate.

While researching the exception I found only errors regarding 1048 bit keys, but there was a hint to file. So I checked mine, but on the first look only found the following, which limits keys below 2048 bits. Very confusing.

# $JAVA_HOME/conf/security/, \
    RSA keySize < 2048, DSA keySize < 2048

Going on with my very confused, I finally found a small hint: /etc/crypto-policies.

Checking there I found this:

$ cat /etc/crypto-policies/config

MYCRYPTO1 you may ask, and so did I. Seems to be the placeholder value used by this RHEL hardening guide (I was running this on a shared machine not set up by me but a collague). 5.7. Customizing system-wide cryptographic policies with policy modifiers

And there also is a /etc/crypto-policies/back-ends/java.config, which includes the following; note the RSA keySize < 3072 – this fits our error!

jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 3072

But how does this get into JVM?

After some digging around I found a hint to security.useSystemPropertiesFile which is included in my file, but I did not find it in Java documentation.

# $JAVA_HOME/config/security/

# Determines whether this properties file will be appended to
# using the system properties file stored at
# /etc/crypto-policies/back-ends/java.config

Turns out to be a Fedora/RHEL patch!

Whew; that was fun to look for.