Bug 1547497 - RFE: customizing RSA keys size of OpenShift CA through ansible variable
Summary: RFE: customizing RSA keys size of OpenShift CA through ansible variable
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.5.0
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
: ---
Assignee: Derek Carr
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-02-21 12:50 UTC by Manikandan Somasundaram
Modified: 2023-09-14 04:16 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-18 21:22:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Comment 1 Matt Gartman 2018-06-04 10:43:25 UTC 
Any update on this?  Our security team requires the key size to be greater then the hard coded 2048.
Comment 3 Paul Weil 2018-06-11 18:49:58 UTC 
Simo,

should all the keys just be 4096 or does configuration make sense here?
Comment 4 Simo Sorce 2018-06-11 19:30:16 UTC 
keys of size 4096 cause noticeable performance issues, so they are normally used only for certificates that need to last for a long time (like CA keys that need to last for 20 years). FIPS for example still only allows 2k and 3k keys.
Our certificates are relatively short lived so we should use a longer key only for the CA.
In general configurability is a good thing because different customers may need different security/performance/compatibility tradeoffs.
Comment 8 knewcomer 2019-05-18 21:21:50 UTC 
This has been moved to https://jira.coreos.com/browse/RFE-134
Comment 9 Red Hat Bugzilla 2023-09-14 04:16:54 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.