diff --git a/.ci/api-current.txt b/.ci/api-current.txt
index 87874e2381..b344d13f4f 100644
--- a/.ci/api-current.txt
+++ b/.ci/api-current.txt
@@ -1245,6 +1245,7 @@ public final class net.corda.core.crypto.Crypto extends java.lang.Object
   public static final java.security.PublicKey toSupportedPublicKey(java.security.PublicKey)
   @NotNull
   public static final java.security.PublicKey toSupportedPublicKey(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
+  public static final boolean validatePublicKey(java.security.PublicKey)
   @NotNull
   public static final net.corda.core.crypto.SignatureScheme COMPOSITE_KEY
   @NotNull
diff --git a/core/src/main/kotlin/net/corda/core/crypto/Crypto.kt b/core/src/main/kotlin/net/corda/core/crypto/Crypto.kt
index 5600ed9980..d396330cb6 100644
--- a/core/src/main/kotlin/net/corda/core/crypto/Crypto.kt
+++ b/core/src/main/kotlin/net/corda/core/crypto/Crypto.kt
@@ -897,6 +897,13 @@ object Crypto {
         return signatureScheme.schemeCodeName in signatureSchemeMap
     }
 
+    /**
+     * Check if a public key satisfies algorithm specs.
+     * For instance, an ECC key should lie on the curve and not being point-at-infinity.
+     */
+    @JvmStatic
+    fun validatePublicKey(key: PublicKey): Boolean = validatePublicKey(findSignatureScheme(key), key)
+
     // Validate a key, by checking its algorithmic params.
     private fun validateKey(signatureScheme: SignatureScheme, key: Key): Boolean {
         return when (key) {
@@ -910,7 +917,8 @@ object Crypto {
     private fun validatePublicKey(signatureScheme: SignatureScheme, key: PublicKey): Boolean {
         return when (key) {
             is BCECPublicKey, is EdDSAPublicKey -> publicKeyOnCurve(signatureScheme, key)
-            is BCRSAPublicKey, is BCSphincs256PublicKey -> true // TODO: Check if non-ECC keys satisfy params (i.e. approved/valid RSA modulus size).
+            is BCRSAPublicKey -> key.modulus.bitLength() >= 2048 // Although the recommended RSA key size is 3072, we accept any key >= 2048bits.
+            is BCSphincs256PublicKey -> true
             else -> throw IllegalArgumentException("Unsupported key type: ${key::class}")
         }
     }
diff --git a/docs/source/changelog.rst b/docs/source/changelog.rst
index bc01abb4e2..565d0f05e6 100644
--- a/docs/source/changelog.rst
+++ b/docs/source/changelog.rst
@@ -104,6 +104,10 @@ Unreleased
   (even if JPA annotation nullable=false was absent).
   In case your Cordapps use this entity class to persist data in own custom tables as non Primary Key columns refer to :doc:`upgrade-notes` for upgrade instructions.
 
+* Adding a public method to check if a public key satisfies Corda recommended algorithm specs, `Crypto.validatePublicKey(java.security.PublicKey)`.
+  For instance, this method will check if an ECC key lies on a valid curve or if an RSA key is >= 2048bits. This might
+  be required for extra key validation checks, e.g., for Doorman to check that a CSR key meets the minimum security requirements.
+
 .. _changelog_v3.1:
 
 Version 3.1
@@ -126,7 +130,6 @@ Version 3.1
 * Fixed node's behaviour on startup when there is no connectivity to network map. Node continues to work normally if it has
   all the needed network data, waiting in the background for network map to become available.
 
-
 .. _changelog_v3:
 
 Version 3.0