Bug 1547497

Summary: RFE: customizing RSA keys size of OpenShift CA through ansible variable
Product: OpenShift Container Platform Reporter: Manikandan Somasundaram <msomasun>
Component: RFEAssignee: Derek Carr <decarr>
Status: CLOSED DEFERRED QA Contact: Xiaoli Tian <xtian>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.5.0CC: aos-bugs, decarr, eparis, fshaikh, jialiu, jokerman, knewcomer, matthew_gartman, mmccomas, ssadhale, ssorce, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-18 21:22:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Matt Gartman 2018-06-04 10:43:25 UTC 
Any update on this?  Our security team requires the key size to be greater then the hard coded 2048.
Comment 3 Paul Weil 2018-06-11 18:49:58 UTC 
Simo,

should all the keys just be 4096 or does configuration make sense here?
Comment 4 Simo Sorce 2018-06-11 19:30:16 UTC 
keys of size 4096 cause noticeable performance issues, so they are normally used only for certificates that need to last for a long time (like CA keys that need to last for 20 years). FIPS for example still only allows 2k and 3k keys.
Our certificates are relatively short lived so we should use a longer key only for the CA.
In general configurability is a good thing because different customers may need different security/performance/compatibility tradeoffs.
Comment 8 knewcomer 2019-05-18 21:21:50 UTC 
This has been moved to https://jira.coreos.com/browse/RFE-134
Comment 9 Red Hat Bugzilla 2023-09-14 04:16:54 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days