Raise key length defaults
Extend RSA keylength to 2048 bits by default, as the previous default of 1024 bit is considered weak since 12/31/2010. Also unify the message_md to the openssl builtin default. Fixes bug 1103002 Change-Id: I70e90b7696f8a56073c3d6bdc9ed5d30cfa3401f
This commit is contained in:
parent
cd349711bc
commit
7006798028
@ -168,7 +168,7 @@ The values that specify where to read the certificates are under the
|
|||||||
* ``keyfile`` - Location of private key used to sign tokens. Default is ``/etc/keystone/ssl/private/signing_key.pem``
|
* ``keyfile`` - Location of private key used to sign tokens. Default is ``/etc/keystone/ssl/private/signing_key.pem``
|
||||||
* ``ca_certs`` - Location of certificate for the authority that issued the above certificate. Default is ``/etc/keystone/ssl/certs/ca.pem``
|
* ``ca_certs`` - Location of certificate for the authority that issued the above certificate. Default is ``/etc/keystone/ssl/certs/ca.pem``
|
||||||
* ``ca_key`` - Default is ``/etc/keystone/ssl/certs/cakey.pem``
|
* ``ca_key`` - Default is ``/etc/keystone/ssl/certs/cakey.pem``
|
||||||
* ``key_size`` - Default is ``1024``
|
* ``key_size`` - Default is ``2048``
|
||||||
* ``valid_days`` - Default is ``3650``
|
* ``valid_days`` - Default is ``3650``
|
||||||
* ``ca_password`` - Password required to read the ca_file. Default is None
|
* ``ca_password`` - Password required to read the ca_file. Default is None
|
||||||
|
|
||||||
@ -202,9 +202,9 @@ generate a PKCS #10 Certificate Request Syntax (CRS) using OpenSSL CLI.
|
|||||||
First create a certificate request configuration file (e.g. ``cert_req.conf``)::
|
First create a certificate request configuration file (e.g. ``cert_req.conf``)::
|
||||||
|
|
||||||
[ req ]
|
[ req ]
|
||||||
default_bits = 1024
|
default_bits = 2048
|
||||||
default_keyfile = keystonekey.pem
|
default_keyfile = keystonekey.pem
|
||||||
default_md = sha1
|
default_md = default
|
||||||
|
|
||||||
prompt = no
|
prompt = no
|
||||||
distinguished_name = distinguished_name
|
distinguished_name = distinguished_name
|
||||||
@ -223,7 +223,7 @@ key. Must use the -nodes option.**
|
|||||||
|
|
||||||
For example::
|
For example::
|
||||||
|
|
||||||
openssl req -newkey rsa:1024 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes
|
openssl req -newkey rsa:2048 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes
|
||||||
|
|
||||||
|
|
||||||
If everything is successfully, you should end up with ``signing_cert_req.pem``
|
If everything is successfully, you should end up with ``signing_cert_req.pem``
|
||||||
|
@ -146,7 +146,7 @@
|
|||||||
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
|
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
|
||||||
#keyfile = /etc/keystone/ssl/private/signing_key.pem
|
#keyfile = /etc/keystone/ssl/private/signing_key.pem
|
||||||
#ca_certs = /etc/keystone/ssl/certs/ca.pem
|
#ca_certs = /etc/keystone/ssl/certs/ca.pem
|
||||||
#key_size = 1024
|
#key_size = 2048
|
||||||
#valid_days = 3650
|
#valid_days = 3650
|
||||||
#ca_password = None
|
#ca_password = None
|
||||||
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
|
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
|
||||||
|
@ -40,9 +40,9 @@ function cleanup {
|
|||||||
function generate_ca_conf {
|
function generate_ca_conf {
|
||||||
echo '
|
echo '
|
||||||
[ req ]
|
[ req ]
|
||||||
default_bits = 1024
|
default_bits = 2048
|
||||||
default_keyfile = cakey.pem
|
default_keyfile = cakey.pem
|
||||||
default_md = sha1
|
default_md = default
|
||||||
|
|
||||||
prompt = no
|
prompt = no
|
||||||
distinguished_name = ca_distinguished_name
|
distinguished_name = ca_distinguished_name
|
||||||
@ -67,9 +67,9 @@ basicConstraints = critical,CA:true
|
|||||||
function generate_ssl_req_conf {
|
function generate_ssl_req_conf {
|
||||||
echo '
|
echo '
|
||||||
[ req ]
|
[ req ]
|
||||||
default_bits = 1024
|
default_bits = 2048
|
||||||
default_keyfile = keystonekey.pem
|
default_keyfile = keystonekey.pem
|
||||||
default_md = sha1
|
default_md = default
|
||||||
|
|
||||||
prompt = no
|
prompt = no
|
||||||
distinguished_name = distinguished_name
|
distinguished_name = distinguished_name
|
||||||
@ -88,9 +88,9 @@ emailAddress = keystone@openstack.org
|
|||||||
function generate_cms_signing_req_conf {
|
function generate_cms_signing_req_conf {
|
||||||
echo '
|
echo '
|
||||||
[ req ]
|
[ req ]
|
||||||
default_bits = 1024
|
default_bits = 2048
|
||||||
default_keyfile = keystonekey.pem
|
default_keyfile = keystonekey.pem
|
||||||
default_md = sha1
|
default_md = default
|
||||||
|
|
||||||
prompt = no
|
prompt = no
|
||||||
distinguished_name = distinguished_name
|
distinguished_name = distinguished_name
|
||||||
@ -122,7 +122,7 @@ private_key = $dir/private/cakey.pem
|
|||||||
|
|
||||||
default_days = 21360
|
default_days = 21360
|
||||||
default_crl_days = 30
|
default_crl_days = 30
|
||||||
default_md = sha1
|
default_md = default
|
||||||
|
|
||||||
policy = policy_any
|
policy = policy_any
|
||||||
|
|
||||||
@ -157,14 +157,14 @@ function check_error {
|
|||||||
|
|
||||||
function generate_ca {
|
function generate_ca {
|
||||||
echo 'Generating New CA Certificate ...'
|
echo 'Generating New CA Certificate ...'
|
||||||
openssl req -x509 -newkey rsa:1024 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
|
openssl req -x509 -newkey rsa:2048 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
|
||||||
check_error $?
|
check_error $?
|
||||||
}
|
}
|
||||||
|
|
||||||
function ssl_cert_req {
|
function ssl_cert_req {
|
||||||
echo 'Generating SSL Certificate Request ...'
|
echo 'Generating SSL Certificate Request ...'
|
||||||
generate_ssl_req_conf
|
generate_ssl_req_conf
|
||||||
openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes
|
openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes
|
||||||
check_error $?
|
check_error $?
|
||||||
#openssl req -in req.pem -text -noout
|
#openssl req -in req.pem -text -noout
|
||||||
}
|
}
|
||||||
@ -172,7 +172,7 @@ function ssl_cert_req {
|
|||||||
function cms_signing_cert_req {
|
function cms_signing_cert_req {
|
||||||
echo 'Generating CMS Signing Certificate Request ...'
|
echo 'Generating CMS Signing Certificate Request ...'
|
||||||
generate_cms_signing_req_conf
|
generate_cms_signing_req_conf
|
||||||
openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes
|
openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes
|
||||||
check_error $?
|
check_error $?
|
||||||
#openssl req -in req.pem -text -noout
|
#openssl req -in req.pem -text -noout
|
||||||
}
|
}
|
||||||
|
@ -245,7 +245,7 @@ def configure():
|
|||||||
default="/etc/keystone/ssl/certs/ca.pem")
|
default="/etc/keystone/ssl/certs/ca.pem")
|
||||||
register_str('ca_key', group='signing',
|
register_str('ca_key', group='signing',
|
||||||
default="/etc/keystone/ssl/certs/cakey.pem")
|
default="/etc/keystone/ssl/certs/cakey.pem")
|
||||||
register_int('key_size', group='signing', default=1024)
|
register_int('key_size', group='signing', default=2048)
|
||||||
register_int('valid_days', group='signing', default=3650)
|
register_int('valid_days', group='signing', default=3650)
|
||||||
register_str('ca_password', group='signing', default=None)
|
register_str('ca_password', group='signing', default=None)
|
||||||
register_str('cert_subject', group='signing',
|
register_str('cert_subject', group='signing',
|
||||||
|
@ -197,7 +197,7 @@ new_certs_dir = $dir
|
|||||||
serial = $dir/serial
|
serial = $dir/serial
|
||||||
database = $dir/index.txt
|
database = $dir/index.txt
|
||||||
default_days = 365
|
default_days = 365
|
||||||
default_md = sha1
|
default_md = default # use public key default MD
|
||||||
preserve = no
|
preserve = no
|
||||||
email_in_dn = no
|
email_in_dn = no
|
||||||
nameopt = default_ca
|
nameopt = default_ca
|
||||||
@ -215,7 +215,7 @@ commonName = supplied
|
|||||||
emailAddress = optional
|
emailAddress = optional
|
||||||
|
|
||||||
[ req ]
|
[ req ]
|
||||||
default_bits = 1024 # Size of keys
|
default_bits = 2048 # Size of keys
|
||||||
default_keyfile = key.pem # name of generated keys
|
default_keyfile = key.pem # name of generated keys
|
||||||
default_md = default # message digest algorithm
|
default_md = default # message digest algorithm
|
||||||
string_mask = nombstr # permitted characters
|
string_mask = nombstr # permitted characters
|
||||||
|
Loading…
Reference in New Issue
Block a user