diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 661723da27..66908c0939 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -168,7 +168,7 @@ The values that specify where to read the certificates are under the * ``keyfile`` - Location of private key used to sign tokens. Default is ``/etc/keystone/ssl/private/signing_key.pem`` * ``ca_certs`` - Location of certificate for the authority that issued the above certificate. Default is ``/etc/keystone/ssl/certs/ca.pem`` * ``ca_key`` - Default is ``/etc/keystone/ssl/certs/cakey.pem`` -* ``key_size`` - Default is ``1024`` +* ``key_size`` - Default is ``2048`` * ``valid_days`` - Default is ``3650`` * ``ca_password`` - Password required to read the ca_file. Default is None @@ -202,9 +202,9 @@ generate a PKCS #10 Certificate Request Syntax (CRS) using OpenSSL CLI. First create a certificate request configuration file (e.g. ``cert_req.conf``):: [ req ] - default_bits = 1024 + default_bits = 2048 default_keyfile = keystonekey.pem - default_md = sha1 + default_md = default prompt = no distinguished_name = distinguished_name @@ -223,7 +223,7 @@ key. Must use the -nodes option.** For example:: - openssl req -newkey rsa:1024 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes + openssl req -newkey rsa:2048 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes If everything is successfully, you should end up with ``signing_cert_req.pem`` diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample index f3755571eb..8a1e3fb217 100644 --- a/etc/keystone.conf.sample +++ b/etc/keystone.conf.sample @@ -146,7 +146,7 @@ #certfile = /etc/keystone/ssl/certs/signing_cert.pem #keyfile = /etc/keystone/ssl/private/signing_key.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem -#key_size = 1024 +#key_size = 2048 #valid_days = 3650 #ca_password = None #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com diff --git a/examples/pki/gen_pki.sh b/examples/pki/gen_pki.sh index 9bf6c32250..002ca89cce 100755 --- a/examples/pki/gen_pki.sh +++ b/examples/pki/gen_pki.sh @@ -40,9 +40,9 @@ function cleanup { function generate_ca_conf { echo ' [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = cakey.pem -default_md = sha1 +default_md = default prompt = no distinguished_name = ca_distinguished_name @@ -67,9 +67,9 @@ basicConstraints = critical,CA:true function generate_ssl_req_conf { echo ' [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = keystonekey.pem -default_md = sha1 +default_md = default prompt = no distinguished_name = distinguished_name @@ -88,9 +88,9 @@ emailAddress = keystone@openstack.org function generate_cms_signing_req_conf { echo ' [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = keystonekey.pem -default_md = sha1 +default_md = default prompt = no distinguished_name = distinguished_name @@ -122,7 +122,7 @@ private_key = $dir/private/cakey.pem default_days = 21360 default_crl_days = 30 -default_md = sha1 +default_md = default policy = policy_any @@ -157,14 +157,14 @@ function check_error { function generate_ca { echo 'Generating New CA Certificate ...' - openssl req -x509 -newkey rsa:1024 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes + openssl req -x509 -newkey rsa:2048 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes check_error $? } function ssl_cert_req { echo 'Generating SSL Certificate Request ...' generate_ssl_req_conf - openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes + openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes check_error $? #openssl req -in req.pem -text -noout } @@ -172,7 +172,7 @@ function ssl_cert_req { function cms_signing_cert_req { echo 'Generating CMS Signing Certificate Request ...' generate_cms_signing_req_conf - openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes + openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes check_error $? #openssl req -in req.pem -text -noout } diff --git a/keystone/common/config.py b/keystone/common/config.py index e2f5055a75..5ff0f4bb33 100644 --- a/keystone/common/config.py +++ b/keystone/common/config.py @@ -245,7 +245,7 @@ def configure(): default="/etc/keystone/ssl/certs/ca.pem") register_str('ca_key', group='signing', default="/etc/keystone/ssl/certs/cakey.pem") - register_int('key_size', group='signing', default=1024) + register_int('key_size', group='signing', default=2048) register_int('valid_days', group='signing', default=3650) register_str('ca_password', group='signing', default=None) register_str('cert_subject', group='signing', diff --git a/keystone/common/openssl.py b/keystone/common/openssl.py index 3e08ed1ef0..47ac5aa69c 100644 --- a/keystone/common/openssl.py +++ b/keystone/common/openssl.py @@ -197,7 +197,7 @@ new_certs_dir = $dir serial = $dir/serial database = $dir/index.txt default_days = 365 -default_md = sha1 +default_md = default # use public key default MD preserve = no email_in_dn = no nameopt = default_ca @@ -215,7 +215,7 @@ commonName = supplied emailAddress = optional [ req ] -default_bits = 1024 # Size of keys +default_bits = 2048 # Size of keys default_keyfile = key.pem # name of generated keys default_md = default # message digest algorithm string_mask = nombstr # permitted characters