From 58eac3d91f47ee18a3cd282c20ad28e3b5a0a111 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 15 Sep 2021 16:51:07 -0400 Subject: [PATCH] Update scripts to use fips allowed algorithms Openssl genrsa is deprecated in favor of genpkey, and fails in FIPS mode. Update the relevant calls to use genpkey instead. Change-Id: I1aab9faa8afe845e445e620d1800785d2e19ad1e (cherry picked from commit 36a642d9d0b95b6337558144450bbc7802784c23) --- bin/create_dual_intermediate_CA.sh | 10 +++++----- bin/create_single_CA_intermediate_CA.sh | 6 +++--- doc/source/admin/guides/certificates.rst | 6 +++--- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/bin/create_dual_intermediate_CA.sh b/bin/create_dual_intermediate_CA.sh index 89b822d439..ae1435cb8d 100755 --- a/bin/create_dual_intermediate_CA.sh +++ b/bin/create_dual_intermediate_CA.sh @@ -44,7 +44,7 @@ touch index.txt echo 1000 > serial # Create the client CA private key -openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 2048 +openssl genpkey -algorithm RSA -out private/ca.key.pem -aes-128-cbc -pass pass:not-secure-passphrase chmod 400 private/ca.key.pem # Create the client CA root certificate @@ -58,7 +58,7 @@ touch intermediate_ca/index.txt echo 1000 > intermediate_ca/serial # Create the client intermediate CA private key -openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 2048 +openssl genpkey -algorithm RSA -out intermediate_ca/private/intermediate.ca.key.pem -aes-128-cbc -pass pass:not-secure-passphrase chmod 400 intermediate_ca/private/intermediate.ca.key.pem # Create the client intermediate CA certificate signing request @@ -71,7 +71,7 @@ openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_interm cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem ###### Create the client key and certificate -openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 2048 +openssl genpkey -algorithm RSA -out intermediate_ca/private/controller.key.pem -aes-128-cbc -pass pass:not-secure-passphrase chmod 400 intermediate_ca/private/controller.key.pem # Create the client controller certificate signing request @@ -103,7 +103,7 @@ touch index.txt echo 1000 > serial # Create the server CA private key -openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 2048 +openssl genpkey -algorithm RSA -out private/ca.key.pem -aes-128-cbc -pass pass:not-secure-passphrase chmod 400 private/ca.key.pem # Create the server CA root certificate @@ -117,7 +117,7 @@ touch intermediate_ca/index.txt echo 1000 > intermediate_ca/serial # Create the server intermediate CA private key -openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 2048 +openssl genpkey -algorithm RSA -out intermediate_ca/private/intermediate.ca.key.pem -aes-128-cbc -pass pass:not-secure-passphrase chmod 400 intermediate_ca/private/intermediate.ca.key.pem # Create the server intermediate CA certificate signing request diff --git a/bin/create_single_CA_intermediate_CA.sh b/bin/create_single_CA_intermediate_CA.sh index 61cf1fd3ed..5b91e7fffa 100755 --- a/bin/create_single_CA_intermediate_CA.sh +++ b/bin/create_single_CA_intermediate_CA.sh @@ -44,7 +44,7 @@ touch index.txt echo 1000 > serial # Create the client CA private key -openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 2048 +openssl genpkey -algorithm RSA -out private/ca.key.pem -aes-128-cbc -pass pass:not-secure-passphrase chmod 400 private/ca.key.pem # Create the client CA root certificate @@ -58,7 +58,7 @@ touch intermediate_ca/index.txt echo 1000 > intermediate_ca/serial # Create the client intermediate CA private key -openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 2048 +openssl genpkey -algorithm RSA -out intermediate_ca/private/intermediate.ca.key.pem -aes-128-cbc -pass pass:not-secure-passphrase chmod 400 intermediate_ca/private/intermediate.ca.key.pem # Create the client intermediate CA certificate signing request @@ -71,7 +71,7 @@ openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_interm cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem ###### Create the client key and certificate -openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 2048 +openssl genpkey -algorithm RSA -out intermediate_ca/private/controller.key.pem -aes-128-cbc -pass pass:not-secure-passphrase chmod 400 intermediate_ca/private/controller.key.pem # Create the client controller certificate signing request diff --git a/doc/source/admin/guides/certificates.rst b/doc/source/admin/guides/certificates.rst index 295541e9fc..814e776903 100644 --- a/doc/source/admin/guides/certificates.rst +++ b/doc/source/admin/guides/certificates.rst @@ -142,7 +142,7 @@ can be used to create the required certificates. .. code-block:: bash - $ openssl genrsa -aes256 -out private/ca.key.pem 4096 + $ openssl genpkey -algorithm RSA -out private/ca.key.pem -aes-128-cbc -pkeyopt rsa_keygen_bits:4096 $ chmod 400 private/ca.key.pem 7. Create the `server` CA certificate. @@ -174,7 +174,7 @@ can be used to create the required certificates. .. code-block:: bash - $ openssl genrsa -aes256 -out private/ca.key.pem 4096 + $ openssl genpkey -algorithm RSA -out private/ca.key.pem -aes-128-cbc -pkeyopt rsa_keygen_bits:4096 $ chmod 400 private/ca.key.pem 10. Create the `client` CA certificate. @@ -199,7 +199,7 @@ can be used to create the required certificates. .. code-block:: bash - $ openssl genrsa -aes256 -out private/client.key.pem 2048 + $ openssl genpkey -algorithm RSA -out private/ca.key.pem -aes-128-cbc -pkeyopt rsa_keygen_bits:2048 12. Create the certificate request for the `client` certificate used on the controllers.