Added RSA Key length (dsr8)

Modified the note to include <the certificate file>
Removed trailing spaces and fixed Patchset 7 comments
Updated Patchset 6 comments and removed the word platform
Fixed formatting issues
Updated Patchset 4 comments
Added additional notes in multiple topics listed in the review
Updated the Security / Upgrade Guide with a note
Change-Id: If0a88e88268b2a4540b6abf97bc7b5ca9049747c
Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>

Change-Id: I5686cda10f4ac9b184f5ac1e6ceec003b09155d2

doc/source/security/kubernetes/create-certificates-locally-using-openssl.rst

@@ -5,10 +5,20 @@
 =========================================
 Create Certificates Locally using openssl
 =========================================
-
+    
 You can use :command:`openssl` to locally create certificates suitable for
 use in a lab environment.
 
+.. note::
+    
+    Ensure the certificates have RSA key length >= 2048 bits. The
+    |prod-long| Release |this-ver| provides a new version of ``openssl`` which
+    requires a minimum of 2048-bit keys for RSA for better security / encryption
+    strength.
+    
+    You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
+    and looking for the "Public-Key" in the output.
+
 .. rubric:: |proc|
 
 .. _create-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb:
@@ -64,4 +74,3 @@ use in a lab environment.
 
             $ cat my-server-cert.pem my-server-key.pem > my-server.pem
 
-

doc/source/security/kubernetes/https-access-overview.rst

@@ -119,3 +119,14 @@ In addition, |prod| monitors the installed certificates on the system by raising
 alarms for expire-soon certificates and for expired certificates on the system,
 see :ref:`Expiring-Soon and Expired Certificate Alarms
 <alarm-expiring-soon-and-expired-certificates-baf5b8f73009>`.
+
+.. note::
+    
+    Ensure the certificates have RSA key length >= 2048 bits. The
+    |prod-long| Release |this-ver| provides a new version of ``openssl`` which
+    requires a minimum of 2048-bit keys for RSA for better security / encryption
+    strength.
+    
+    You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
+    and looking for the "Public-Key" in the output. For more information see
+    :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.

doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst

@@ -65,3 +65,14 @@ file, and copy the file to the controller host.
     MUST renew the certificate prior to expiry, otherwise a variety of system
     operations will fail.
 
+.. note::
+    
+    Ensure the certificates have RSA key length >= 2048 bits. The
+    |prod-long| Release |this-ver| provides a new version of ``openssl`` which
+    requires a minimum of 2048-bit keys for RSA for better security / encryption
+    strength.
+    
+    You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
+    and looking for the "Public-Key" in the output. For more information see
+    :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
+

doc/source/security/kubernetes/kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d.rst

@@ -103,6 +103,17 @@ and ``/etc/kubernetes/pki/ca.key``.
         existing certificate will ignore any arguments to generate a
         certificate.
 
+    .. note::
+        
+        Ensure the certificates have RSA key length >= 2048 bits. The
+        |prod-long| Release |this-ver| provides a new version of ``openssl``
+        which requires a minimum of 2048-bit keys for RSA for better
+        security / encryption strength.
+        
+        You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
+        and looking for the "Public-Key" in the output. For more information see
+        :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
+
 #.  Apply the strategy.
 
     .. code-block::

doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst

@@ -52,6 +52,17 @@ value is the absolute path of the certificate file. The certificate
 must be in |PEM| format and the value must be provided as part of a pair
 with <k8s_root_ca_cert>.
 
+.. note::
+    
+    Ensure the certificates have RSA key length >= 2048 bits. The
+    |prod-long| Release |this-ver| provides a new version of ``openssl`` which
+    requires a minimum of 2048-bit keys for RSA for better security / encryption
+    strength.
+    
+    You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
+    and looking for the "Public-Key" in the output. For more information see
+    :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
+
 For example:
 
 .. code-block:: none

doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst

@@ -92,6 +92,18 @@ controllers/subclouds.
         (self-signed, internal Root |CA|) or use an external Root
         |CA| that would make this an Intermediate |CA|.
 
+    .. note::
+      
+        Ensure the certificates have RSA key length >= 2048 bits before
+        migrating to |prod-long| Release |this-ver|. The |prod-long| Release
+        |this-ver| provides a new version of ``openssl`` which requires a
+        minimum of 2048-bit keys for RSA for better security / encryption
+        strength.
+        
+        You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
+        and looking for the "Public-Key" in the output. For more information see
+        :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
+
     ``system_root_ca_cert``
         The Root |CA| that signed ``system_local_ca_cert``. If
         ``system_local_ca_cert`` is a self-signed, internal Root |CA|

doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate-deprecated.rst

@@ -99,6 +99,17 @@ above certificate.
     ``<pathTocertificateAndKey>``
         is the path to the file containing both the Docker registry's
         Intermediate or Root CA-signed certificate and private key to install.
+        
+    .. note::
+        
+        Ensure the certificates have RSA key length >= 2048 bits. The
+        |prod-long| Release |this-ver| provides a new version of ``openssl``
+        which requires a minimum of 2048-bit keys for RSA for better
+        security / encryption strength.
+        
+        You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
+        and looking for the "Public-Key" in the output. For more information see
+        :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
 
 Refer to :ref:`Install/Update Local Registry Certificates
 <installing-updating-the-docker-registry-certificate>` on how to install/update

doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst

@@ -122,6 +122,17 @@ certificates.
 
 #. Copy the |PEM| encoded certificate and key from the externally generated
    |CA| to the controller host.
+   
+   .. note::
+    
+       Ensure the certificates have RSA key length >= 2048 bits. The
+       |prod-long| Release |this-ver| provides a new version of ``openssl``
+       which requires a minimum of 2048-bit keys for RSA for better
+       security / encryption strength.
+       
+       You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
+       and looking for the "Public-Key" in the output. For more information see
+       :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
 
 #. Create a |TLS| secret in ``cert-manager`` namespace with the certificate/Key
    files: