From cb0245cfab4dea5f0f8059c716b97c219cd7e577 Mon Sep 17 00:00:00 2001 From: Juanita Balaraj Date: Mon, 19 Jun 2023 20:14:20 +0000 Subject: [PATCH] Added RSA Key length (dsr8) Modified the note to include Removed trailing spaces and fixed Patchset 7 comments Updated Patchset 6 comments and removed the word platform Fixed formatting issues Updated Patchset 4 comments Added additional notes in multiple topics listed in the review Updated the Security / Upgrade Guide with a note Change-Id: If0a88e88268b2a4540b6abf97bc7b5ca9049747c Signed-off-by: Juanita Balaraj Change-Id: I5686cda10f4ac9b184f5ac1e6ceec003b09155d2 --- .../create-certificates-locally-using-openssl.rst | 13 +++++++++++-- .../security/kubernetes/https-access-overview.rst | 11 +++++++++++ ...he-starlingx-rest-and-web-server-certificate.rst | 11 +++++++++++ ...cate-update-cloud-orchestration-a627f9d02d6d.rst | 11 +++++++++++ .../kubernetes/kubernetes-root-ca-certificate.rst | 11 +++++++++++ ...ertificates-to-use-cert-manager-c0b1727e4e5d.rst | 12 ++++++++++++ ...e-the-docker-registry-certificate-deprecated.rst | 11 +++++++++++ ...s-and-the-web-admin-server-cert-9196c5794834.rst | 11 +++++++++++ 8 files changed, 89 insertions(+), 2 deletions(-) diff --git a/doc/source/security/kubernetes/create-certificates-locally-using-openssl.rst b/doc/source/security/kubernetes/create-certificates-locally-using-openssl.rst index 463294388..709d1964b 100644 --- a/doc/source/security/kubernetes/create-certificates-locally-using-openssl.rst +++ b/doc/source/security/kubernetes/create-certificates-locally-using-openssl.rst @@ -5,10 +5,20 @@ ========================================= Create Certificates Locally using openssl ========================================= - + You can use :command:`openssl` to locally create certificates suitable for use in a lab environment. +.. note:: + + Ensure the certificates have RSA key length >= 2048 bits. The + |prod-long| Release |this-ver| provides a new version of ``openssl`` which + requires a minimum of 2048-bit keys for RSA for better security / encryption + strength. + + You can check the key length by running ``openssl x509 -in -noout -text`` + and looking for the "Public-Key" in the output. + .. rubric:: |proc| .. _create-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb: @@ -64,4 +74,3 @@ use in a lab environment. $ cat my-server-cert.pem my-server-key.pem > my-server.pem - diff --git a/doc/source/security/kubernetes/https-access-overview.rst b/doc/source/security/kubernetes/https-access-overview.rst index c23efd7bf..db98dcfc8 100644 --- a/doc/source/security/kubernetes/https-access-overview.rst +++ b/doc/source/security/kubernetes/https-access-overview.rst @@ -119,3 +119,14 @@ In addition, |prod| monitors the installed certificates on the system by raising alarms for expire-soon certificates and for expired certificates on the system, see :ref:`Expiring-Soon and Expired Certificate Alarms `. + +.. note:: + + Ensure the certificates have RSA key length >= 2048 bits. The + |prod-long| Release |this-ver| provides a new version of ``openssl`` which + requires a minimum of 2048-bit keys for RSA for better security / encryption + strength. + + You can check the key length by running ``openssl x509 -in -noout -text`` + and looking for the "Public-Key" in the output. For more information see + :ref:`Create Certificates Locally using openssl `. diff --git a/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst b/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst index 350762dd5..5eaef334e 100644 --- a/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst +++ b/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst @@ -65,3 +65,14 @@ file, and copy the file to the controller host. MUST renew the certificate prior to expiry, otherwise a variety of system operations will fail. +.. note:: + + Ensure the certificates have RSA key length >= 2048 bits. The + |prod-long| Release |this-ver| provides a new version of ``openssl`` which + requires a minimum of 2048-bit keys for RSA for better security / encryption + strength. + + You can check the key length by running ``openssl x509 -in -noout -text`` + and looking for the "Public-Key" in the output. For more information see + :ref:`Create Certificates Locally using openssl `. + diff --git a/doc/source/security/kubernetes/kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d.rst b/doc/source/security/kubernetes/kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d.rst index d726a7f45..d8c7a4232 100644 --- a/doc/source/security/kubernetes/kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d.rst +++ b/doc/source/security/kubernetes/kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d.rst @@ -103,6 +103,17 @@ and ``/etc/kubernetes/pki/ca.key``. existing certificate will ignore any arguments to generate a certificate. + .. note:: + + Ensure the certificates have RSA key length >= 2048 bits. The + |prod-long| Release |this-ver| provides a new version of ``openssl`` + which requires a minimum of 2048-bit keys for RSA for better + security / encryption strength. + + You can check the key length by running ``openssl x509 -in -noout -text`` + and looking for the "Public-Key" in the output. For more information see + :ref:`Create Certificates Locally using openssl `. + #. Apply the strategy. .. code-block:: diff --git a/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst b/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst index 18ae35f88..2079ff680 100644 --- a/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst +++ b/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst @@ -52,6 +52,17 @@ value is the absolute path of the certificate file. The certificate must be in |PEM| format and the value must be provided as part of a pair with . +.. note:: + + Ensure the certificates have RSA key length >= 2048 bits. The + |prod-long| Release |this-ver| provides a new version of ``openssl`` which + requires a minimum of 2048-bit keys for RSA for better security / encryption + strength. + + You can check the key length by running ``openssl x509 -in -noout -text`` + and looking for the "Public-Key" in the output. For more information see + :ref:`Create Certificates Locally using openssl `. + For example: .. code-block:: none diff --git a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst index 5686b41a7..dc9a84de2 100644 --- a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst +++ b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst @@ -92,6 +92,18 @@ controllers/subclouds. (self-signed, internal Root |CA|) or use an external Root |CA| that would make this an Intermediate |CA|. + .. note:: + + Ensure the certificates have RSA key length >= 2048 bits before + migrating to |prod-long| Release |this-ver|. The |prod-long| Release + |this-ver| provides a new version of ``openssl`` which requires a + minimum of 2048-bit keys for RSA for better security / encryption + strength. + + You can check the key length by running ``openssl x509 -in -noout -text`` + and looking for the "Public-Key" in the output. For more information see + :ref:`Create Certificates Locally using openssl `. + ``system_root_ca_cert`` The Root |CA| that signed ``system_local_ca_cert``. If ``system_local_ca_cert`` is a self-signed, internal Root |CA| diff --git a/doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate-deprecated.rst b/doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate-deprecated.rst index 5697c07fc..f2ca1cb9c 100644 --- a/doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate-deprecated.rst +++ b/doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate-deprecated.rst @@ -99,6 +99,17 @@ above certificate. ```` is the path to the file containing both the Docker registry's Intermediate or Root CA-signed certificate and private key to install. + + .. note:: + + Ensure the certificates have RSA key length >= 2048 bits. The + |prod-long| Release |this-ver| provides a new version of ``openssl`` + which requires a minimum of 2048-bit keys for RSA for better + security / encryption strength. + + You can check the key length by running ``openssl x509 -in -noout -text`` + and looking for the "Public-Key" in the output. For more information see + :ref:`Create Certificates Locally using openssl `. Refer to :ref:`Install/Update Local Registry Certificates ` on how to install/update diff --git a/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst b/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst index 100e395c3..487a8254b 100644 --- a/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst +++ b/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst @@ -122,6 +122,17 @@ certificates. #. Copy the |PEM| encoded certificate and key from the externally generated |CA| to the controller host. + + .. note:: + + Ensure the certificates have RSA key length >= 2048 bits. The + |prod-long| Release |this-ver| provides a new version of ``openssl`` + which requires a minimum of 2048-bit keys for RSA for better + security / encryption strength. + + You can check the key length by running ``openssl x509 -in -noout -text`` + and looking for the "Public-Key" in the output. For more information see + :ref:`Create Certificates Locally using openssl `. #. Create a |TLS| secret in ``cert-manager`` namespace with the certificate/Key files: