Bug 1378119 - SSL/TLS configuration tries to sign a 2048 bit server key with a 4096 bit CA cert
Summary: SSL/TLS configuration tries to sign a 2048 bit server key with a 4096 bit CA ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 9.0 (Mitaka)
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
: 10.0 (Newton)
Assignee: Dan Macpherson
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-21 13:57 UTC by Ken Savich
Modified: 2019-04-17 16:41 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-01 22:40:08 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Ken Savich 2016-09-21 13:57:09 UTC
Description of problem:

https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/director-installation-and-usage/appendix-a-ssl-tls-certificate-configuration

Step A.5 attempts to use a 4096 bit CA cert, created in A.2, to sign a 2048 bit server key. This will fail, as they need to match in order to be successful. 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Dan Macpherson 2016-09-21 14:50:19 UTC
Hi Ken,

Thanks for reporting this. 

What kind of error are you experiencing? I only ask because I've been able to successfully create separate CA and servers certs using keys with different bit sizes, so if you're experiencing an error it might be due to something else.

I tested this out and have successfully been able to sign the 2048 bit CSR with the 4096 bit CA. I'll attach a log to show what I mean.

I've also been able to use certs and keys created with the same process successfully with test Underclouds and Overclouds.

So I can change them to the same bit size, but I don't think it'll make much difference if you're experiencing an error.

How did you want to proceed?

Comment 4 Ken Savich 2016-10-24 13:24:43 UTC
Dan

I haven't had a chance to test again. I'll be able to do some more testing the week of 10/31

thanks


Note You need to log in before you can comment on or make changes to this bug.