1749916 – [RFE] Satellite should support certificates with > 2048 Key size

Bug 1749916 - [RFE] Satellite should support certificates with > 2048 Key size

Summary: [RFE] Satellite should support certificates with > 2048 Key size

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Certificates
Sub Component:
Version:	6.6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	6.8.0
Assignee:	Jonathon Turel
QA Contact:	Stephen Wadeley
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-06 18:46 UTC by Rich Jerrido
Modified:	2023-09-07 20:33 UTC (History)
CC List:	11 users (show)
Fixed In Version:	katello-certs-tools-2.7.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-27 12:59:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	29724	Normal	Closed	Increase cert bits to 4096	2021-02-12 02:00:40 UTC
Red Hat Knowledge Base (Solution)	5393241	None	None	None	2020-10-22 15:38:08 UTC
Red Hat Product Errata	RHSA-2020:4366	None	None	None	2020-10-27 12:59:20 UTC

Description Rich Jerrido 2019-09-06 18:46:20 UTC

an issue with both Satellite and CDN in that they don't currently support the 'FUTURE' protocols defined in RHEL 8  system-wide crypto policy.  

Customer required the disabling of SHA1 based protocols, which 'FUTURE' achieves [1].

Satellite defaults to a 2048 key size. RHEL8 'FUTURE' requires 3071 bit minimum.


# echo | openssl s_client -connect satellite.example.com:443 2>/dev/null | openssl x509 -text -noout | grep 'Public-Key'
                RSA Public-Key: (2048 bit)

# update-crypto-policies --set FUTURE
Setting system policy to FUTURE


# yum repolist
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                            0.0  B/s |   0  B     00:01    
Error: Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-rpms'

Setting back to 'DEFAULT' works:

root[~] # update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT

root[~] # yum repolist
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                            879  B/s | 4.5 kB     00:05    
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                            1.1 MB/s | 8.7 MB     00:08    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                               763  B/s | 4.0 kB     00:05    
repo id                                            repo name                                                                  status
rhel-8-for-x86_64-appstream-rpms                   Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                   5,771
rhel-8-for-x86_64-baseos-rpms                      Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                      2,097

[1] https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8


For the scope of this RFE, it is expected that

- as a user, I can regenerate the certificates with a new key length
- as a user, I can regenerate the certificates for my capsules. 
- new installs of Satellite should use a longer key length.

Comment 7 Jonathon Turel 2020-05-26 15:28:35 UTC

Connecting redmine issue https://projects.theforeman.org/issues/29724 from this bug

Comment 14 Stephen Wadeley 2020-06-11 12:23:58 UTC

(In reply to Rich Jerrido from comment #0)

Hello

I have verified that the certificates used for the default install of Satellite 6.8 and Satellite Capsule 6.8 use a 4096 bit key.

> 
> For the scope of this RFE, it is expected that
> 
> - as a user, I can regenerate the certificates with a new key length
> - as a user, I can regenerate the certificates for my capsules. 

Note that I tested the above steps as root user

> - new installs of Satellite should use a longer key length.

This is now 4096

Thank you

Comment 18 errata-xmlrpc 2020-10-27 12:59:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366

Note You need to log in before you can comment on or make changes to this bug.