From 8b6bb936d377f110f7f684d845ec3bd8e76fec82 Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Tue, 26 Nov 2019 09:58:57 +0100 Subject: [PATCH] Use 2048-bits keys for devstack certificates RHEL8 and Centos8 refuse to load certificates generated with a 1024-bits key because of new security policies. Increasing key size to 2048-bits fixes certificate generation scripts for these distributions. Story 2006944 Task 37623 Change-Id: I6d5d39c4cf87ac687355f80ca591c1a611f46f41 --- bin/create_dual_intermediate_CA.sh | 20 +++++--------------- bin/create_single_CA_intermediate_CA.sh | 12 +++--------- 2 files changed, 8 insertions(+), 24 deletions(-) diff --git a/bin/create_dual_intermediate_CA.sh b/bin/create_dual_intermediate_CA.sh index 2cb1ae38fc..6874f21336 100755 --- a/bin/create_dual_intermediate_CA.sh +++ b/bin/create_dual_intermediate_CA.sh @@ -44,9 +44,7 @@ touch index.txt echo 1000 > serial # Create the client CA private key -# Note: This uses short key lengths to save entropy in the test gates. -# This is not recommended for deployment use! -openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024 +openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 2048 chmod 400 private/ca.key.pem # Create the client CA root certificate @@ -60,9 +58,7 @@ touch intermediate_ca/index.txt echo 1000 > intermediate_ca/serial # Create the client intermediate CA private key -# Note: This uses short key lengths to save entropy in the test gates. -# This is not recommended for deployment use! -openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024 +openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 2048 chmod 400 intermediate_ca/private/intermediate.ca.key.pem # Create the client intermediate CA certificate signing request @@ -75,9 +71,7 @@ openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_interm cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem ###### Create the client key and certificate -# Note: This uses short key lengths to save entropy in the test gates. -# This is not recommended for deployment use! -openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 1024 +openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 2048 chmod 400 intermediate_ca/private/controller.key.pem # Create the client controller certificate signing request @@ -109,9 +103,7 @@ touch index.txt echo 1000 > serial # Create the server CA private key -# Note: This uses short key lengths to save entropy in the test gates. -# This is not recommended for deployment use! -openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024 +openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 2048 chmod 400 private/ca.key.pem # Create the server CA root certificate @@ -125,9 +117,7 @@ touch intermediate_ca/index.txt echo 1000 > intermediate_ca/serial # Create the server intermediate CA private key -# Note: This uses short key lengths to save entropy in the test gates. -# This is not recommended for deployment use! -openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024 +openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 2048 chmod 400 intermediate_ca/private/intermediate.ca.key.pem # Create the server intermediate CA certificate signing request diff --git a/bin/create_single_CA_intermediate_CA.sh b/bin/create_single_CA_intermediate_CA.sh index 7403c33ca5..445c6f5744 100755 --- a/bin/create_single_CA_intermediate_CA.sh +++ b/bin/create_single_CA_intermediate_CA.sh @@ -44,9 +44,7 @@ touch index.txt echo 1000 > serial # Create the client CA private key -# Note: This uses short key lengths to save entropy in the test gates. -# This is not recommended for deployment use! -openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024 +openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 2048 chmod 400 private/ca.key.pem # Create the client CA root certificate @@ -60,9 +58,7 @@ touch intermediate_ca/index.txt echo 1000 > intermediate_ca/serial # Create the client intermediate CA private key -# Note: This uses short key lengths to save entropy in the test gates. -# This is not recommended for deployment use! -openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024 +openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 2048 chmod 400 intermediate_ca/private/intermediate.ca.key.pem # Create the client intermediate CA certificate signing request @@ -75,9 +71,7 @@ openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_interm cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem ###### Create the client key and certificate -# Note: This uses short key lengths to save entropy in the test gates. -# This is not recommended for deployment use! -openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 1024 +openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 2048 chmod 400 intermediate_ca/private/controller.key.pem # Create the client controller certificate signing request