Added RSA Key length (dsr8)

Modified the note to include <the certificate file>
Removed trailing spaces and fixed Patchset 7 comments
Updated Patchset 6 comments and removed the word platform
Fixed formatting issues
Updated Patchset 4 comments
Added additional notes in multiple topics listed in the review
Updated the Security / Upgrade Guide with a note
Change-Id: If0a88e88268b2a4540b6abf97bc7b5ca9049747c
Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>

Change-Id: I5686cda10f4ac9b184f5ac1e6ceec003b09155d2
This commit is contained in:
Juanita Balaraj 2023-06-19 20:14:20 +00:00
parent 0919b0d6c3
commit cb0245cfab
8 changed files with 89 additions and 2 deletions

View File

@ -9,6 +9,16 @@ Create Certificates Locally using openssl
You can use :command:`openssl` to locally create certificates suitable for
use in a lab environment.
.. note::
Ensure the certificates have RSA key length >= 2048 bits. The
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
requires a minimum of 2048-bit keys for RSA for better security / encryption
strength.
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
and looking for the "Public-Key" in the output.
.. rubric:: |proc|
.. _create-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb:
@ -64,4 +74,3 @@ use in a lab environment.
$ cat my-server-cert.pem my-server-key.pem > my-server.pem

View File

@ -119,3 +119,14 @@ In addition, |prod| monitors the installed certificates on the system by raising
alarms for expire-soon certificates and for expired certificates on the system,
see :ref:`Expiring-Soon and Expired Certificate Alarms
<alarm-expiring-soon-and-expired-certificates-baf5b8f73009>`.
.. note::
Ensure the certificates have RSA key length >= 2048 bits. The
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
requires a minimum of 2048-bit keys for RSA for better security / encryption
strength.
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
and looking for the "Public-Key" in the output. For more information see
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.

View File

@ -65,3 +65,14 @@ file, and copy the file to the controller host.
MUST renew the certificate prior to expiry, otherwise a variety of system
operations will fail.
.. note::
Ensure the certificates have RSA key length >= 2048 bits. The
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
requires a minimum of 2048-bit keys for RSA for better security / encryption
strength.
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
and looking for the "Public-Key" in the output. For more information see
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.

View File

@ -103,6 +103,17 @@ and ``/etc/kubernetes/pki/ca.key``.
existing certificate will ignore any arguments to generate a
certificate.
.. note::
Ensure the certificates have RSA key length >= 2048 bits. The
|prod-long| Release |this-ver| provides a new version of ``openssl``
which requires a minimum of 2048-bit keys for RSA for better
security / encryption strength.
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
and looking for the "Public-Key" in the output. For more information see
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
#. Apply the strategy.
.. code-block::

View File

@ -52,6 +52,17 @@ value is the absolute path of the certificate file. The certificate
must be in |PEM| format and the value must be provided as part of a pair
with <k8s_root_ca_cert>.
.. note::
Ensure the certificates have RSA key length >= 2048 bits. The
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
requires a minimum of 2048-bit keys for RSA for better security / encryption
strength.
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
and looking for the "Public-Key" in the output. For more information see
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
For example:
.. code-block:: none

View File

@ -92,6 +92,18 @@ controllers/subclouds.
(self-signed, internal Root |CA|) or use an external Root
|CA| that would make this an Intermediate |CA|.
.. note::
Ensure the certificates have RSA key length >= 2048 bits before
migrating to |prod-long| Release |this-ver|. The |prod-long| Release
|this-ver| provides a new version of ``openssl`` which requires a
minimum of 2048-bit keys for RSA for better security / encryption
strength.
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
and looking for the "Public-Key" in the output. For more information see
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
``system_root_ca_cert``
The Root |CA| that signed ``system_local_ca_cert``. If
``system_local_ca_cert`` is a self-signed, internal Root |CA|

View File

@ -100,6 +100,17 @@ above certificate.
is the path to the file containing both the Docker registry's
Intermediate or Root CA-signed certificate and private key to install.
.. note::
Ensure the certificates have RSA key length >= 2048 bits. The
|prod-long| Release |this-ver| provides a new version of ``openssl``
which requires a minimum of 2048-bit keys for RSA for better
security / encryption strength.
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
and looking for the "Public-Key" in the output. For more information see
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
Refer to :ref:`Install/Update Local Registry Certificates
<installing-updating-the-docker-registry-certificate>` on how to install/update
and renew local registry certificates.

View File

@ -123,6 +123,17 @@ certificates.
#. Copy the |PEM| encoded certificate and key from the externally generated
|CA| to the controller host.
.. note::
Ensure the certificates have RSA key length >= 2048 bits. The
|prod-long| Release |this-ver| provides a new version of ``openssl``
which requires a minimum of 2048-bit keys for RSA for better
security / encryption strength.
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
and looking for the "Public-Key" in the output. For more information see
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
#. Create a |TLS| secret in ``cert-manager`` namespace with the certificate/Key
files: