Bug 1749916 - [RFE] Satellite should support certificates with > 2048 Key size
Summary: [RFE] Satellite should support certificates with > 2048 Key size
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Certificates
Version: 6.6.0
Hardware: Unspecified
OS: Unspecified
medium
medium vote
Target Milestone: 6.8.0
Assignee: Jonathon Turel
QA Contact: Stephen Wadeley
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-06 18:46 UTC by Rich Jerrido
Modified: 2021-02-26 02:57 UTC (History)
11 users (show)

Fixed In Version: katello-certs-tools-2.7.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 12:59:02 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 29724 0 Normal Closed Increase cert bits to 4096 2021-02-12 02:00:40 UTC
Red Hat Knowledge Base (Solution) 5393241 0 None None None 2020-10-22 15:38:08 UTC
Red Hat Product Errata RHSA-2020:4366 0 None None None 2020-10-27 12:59:20 UTC

Description Rich Jerrido 2019-09-06 18:46:20 UTC
an issue with both Satellite and CDN in that they don't currently support the 'FUTURE' protocols defined in RHEL 8  system-wide crypto policy.  

Customer required the disabling of SHA1 based protocols, which 'FUTURE' achieves [1].

Satellite defaults to a 2048 key size. RHEL8 'FUTURE' requires 3071 bit minimum.


# echo | openssl s_client -connect satellite.example.com:443 2>/dev/null | openssl x509 -text -noout | grep 'Public-Key'
                RSA Public-Key: (2048 bit)

# update-crypto-policies --set FUTURE
Setting system policy to FUTURE


# yum repolist
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                            0.0  B/s |   0  B     00:01    
Error: Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-rpms'

Setting back to 'DEFAULT' works:

root[~] # update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT

root[~] # yum repolist
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                            879  B/s | 4.5 kB     00:05    
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                            1.1 MB/s | 8.7 MB     00:08    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                               763  B/s | 4.0 kB     00:05    
repo id                                            repo name                                                                  status
rhel-8-for-x86_64-appstream-rpms                   Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                   5,771
rhel-8-for-x86_64-baseos-rpms                      Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                      2,097

[1] https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8


For the scope of this RFE, it is expected that

- as a user, I can regenerate the certificates with a new key length
- as a user, I can regenerate the certificates for my capsules. 
- new installs of Satellite should use a longer key length.

Comment 7 Jonathon Turel 2020-05-26 15:28:35 UTC
Connecting redmine issue https://projects.theforeman.org/issues/29724 from this bug

Comment 14 Stephen Wadeley 2020-06-11 12:23:58 UTC
(In reply to Rich Jerrido from comment #0)

Hello

I have verified that the certificates used for the default install of Satellite 6.8 and Satellite Capsule 6.8 use a 4096 bit key.

> 
> For the scope of this RFE, it is expected that
> 
> - as a user, I can regenerate the certificates with a new key length
> - as a user, I can regenerate the certificates for my capsules. 

Note that I tested the above steps as root user

> - new installs of Satellite should use a longer key length.

This is now 4096

Thank you

Comment 18 errata-xmlrpc 2020-10-27 12:59:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366


Note You need to log in before you can comment on or make changes to this bug.