Bug 1749916

Summary: [RFE] Satellite should support certificates with > 2048 Key size
Product: Red Hat Satellite Reporter: Rich Jerrido <rjerrido>
Component: CertificatesAssignee: Jonathon Turel <jturel>
Status: CLOSED ERRATA QA Contact: Stephen Wadeley <swadeley>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.6.0CC: amaryniuk, bkearney, egolov, gpayelka, jturel, kupadhya, mvanderw, nshaik, sadas, sokeeffe, zhunting
Target Milestone: 6.8.0Keywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: katello-certs-tools-2.7.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 12:59:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rich Jerrido 2019-09-06 18:46:20 UTC 
an issue with both Satellite and CDN in that they don't currently support the 'FUTURE' protocols defined in RHEL 8  system-wide crypto policy.  

Customer required the disabling of SHA1 based protocols, which 'FUTURE' achieves [1].

Satellite defaults to a 2048 key size. RHEL8 'FUTURE' requires 3071 bit minimum.


# echo | openssl s_client -connect satellite.example.com:443 2>/dev/null | openssl x509 -text -noout | grep 'Public-Key'
                RSA Public-Key: (2048 bit)

# update-crypto-policies --set FUTURE
Setting system policy to FUTURE


# yum repolist
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                            0.0  B/s |   0  B     00:01    
Error: Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-rpms'

Setting back to 'DEFAULT' works:

root[~] # update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT

root[~] # yum repolist
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                            879  B/s | 4.5 kB     00:05    
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                            1.1 MB/s | 8.7 MB     00:08    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                               763  B/s | 4.0 kB     00:05    
repo id                                            repo name                                                                  status
rhel-8-for-x86_64-appstream-rpms                   Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                   5,771
rhel-8-for-x86_64-baseos-rpms                      Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                      2,097

[1] https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8


For the scope of this RFE, it is expected that

- as a user, I can regenerate the certificates with a new key length
- as a user, I can regenerate the certificates for my capsules. 
- new installs of Satellite should use a longer key length.
Comment 7 Jonathon Turel 2020-05-26 15:28:35 UTC 
Connecting redmine issue https://projects.theforeman.org/issues/29724 from this bug
Comment 14 Stephen Wadeley 2020-06-11 12:23:58 UTC 
(In reply to Rich Jerrido from comment #0)

Hello

I have verified that the certificates used for the default install of Satellite 6.8 and Satellite Capsule 6.8 use a 4096 bit key.

> 
> For the scope of this RFE, it is expected that
> 
> - as a user, I can regenerate the certificates with a new key length
> - as a user, I can regenerate the certificates for my capsules. 

Note that I tested the above steps as root user

> - new installs of Satellite should use a longer key length.

This is now 4096

Thank you
Comment 18 errata-xmlrpc 2020-10-27 12:59:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366