Appendix C. Locations of cryptographic keys in RHEL 8

After you upgrade a system that is running in Federal Information Processing Standard (FIPS) mode, you must regenerate and otherwise ensure the FIPS compliance of all cryptographic keys. Some well-known locations for such keys are in the following table. Note that the list is not complete, and you might check also other locations.

Table C.1. Locations of cryptographic keys in RHEL 8

ApplicationLocations of keysNotes

Apache mod_ssl


The /usr/lib/systemd/system/httpd-init.service service runs the /usr/libexec/httpd-ssl-gencerts file if the /etc/pki/tls/private/localhost.key does not exist.

Bind9 RNDC


The named-setup-rndc.service service runs the /usr/libexec/ script, which generates the /etc/rndc.key file.

Cyrus IMAPd


The cyrus-imapd-init.service service generates the /etc/pki/cyrus-imapd/cyrus-imapd-key.pem file on its startup.



The dnssec-triggerd-keygen.service service generates the /etc/dnssec-trigger/dnssec_trigger_control.key file.



The dovecot-init.service service generates the /etc/pki/dovecot/private/dovecot.pem file on its startup.



The tog-pegasus.service service generates the /etc/pki/Pegasus/file.pem private key file.



Ed25519 and DSA keys are not FIPS-compliant.

Custom Diffie-Hellman (DH) parameters are not supported in FIPS mode. Comment out the ModuliFile option in the sshd_config file to ensure compatibility with FIPS mode. You can keep the moduli file (/etc/ssh/moduli by default) in place.



The post-installation script contained in the postfix package generates the /etc/pki/tls/private/postfix.key file.

RHEL web console


The web console runs the /usr/libexec/cockpit-certificate-ensure –for-cockpit-tls file, which creates keys in the /etc/cockpit/ws-certs.d/ directory.



The post-installation script contained in the sendmail package generates the /etc/pki/tls/private/sendmail.key file.

To ensure the FIPS compliance of cryptographic keys of third-party applications, refer to the corresponding documentation of the respective applications. Furthermore:

  • Any service that opens a port might use a TLS certificate.

    • Not all services generate cryptographic keys automatically, but many services that start up automatically by default often do so.
  • Focus also on services that use any cryptographic libraries such as NSS, GnuTLS, OpenSSL, and libgcrypt.
  • Check also backup, disk-encryption, file-encryption, and similar applications.

Because FIPS mode in RHEL 8 restricts DSA keys, DH parameters, RSA keys shorter than 1024 bits, and some other ciphers, old cryptographic keys stop working after the upgrade from RHEL 7. See the Changes in core cryptographic components section in the Considerations in adopting RHEL 8 document and the Using system-wide cryptographic policies chapter in the RHEL 8 Security hardening document for more information.

Additional resources