When crypto policy is set to FUTURE warnings about EE certificate key too weak are shown

Solution Verified - Updated -

Issue

When setting crypto policy to FUTURE an error is observed for the certificate being too weak:

# curl -v --cert /etc/pki/entitlement/5287657135911278332.pem --key /etc/pki/entitlement/5287657135911278332-key.pem  https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml -k

*   Trying 23.222.172.83...
* TCP_NODELAY set
* Connected to cdn.redhat.com (23.222.172.83) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=North Carolina; O=Red Hat, Inc.; OU=Red Hat Network; CN=cdn.redhat.com
*  start date: Apr 24 12:53:26 2019 GMT
*  expire date: Apr 23 12:53:26 2021 GMT
*  issuer: C=US; ST=North Carolina; O=Red Hat, Inc.; OU=Red Hat Network; CN=Red Hat Entitlement Operations Authority; emailAddress=ca-support@redhat.com
*  SSL certificate verify result: EE certificate key too weak (66), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET /content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml HTTP/1.1
> Host: cdn.redhat.com
> User-Agent: curl/7.61.1
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Type: application/xml
< ETag: "432f7ed176aa4447870fddd3e056651b:1579196131.992764"
< Last-Modified: Thu, 16 Jan 2020 17:33:41 GMT
< Server: AkamaiNetStorage
< Content-Length: 4622
< Date: Fri, 17 Jan 2020 11:28:41 GMT
< X-Cache: TCP_MEM_HIT from a173-223-52-56.deploy.akamaitechnologies.com (AkamaiGHost/9.8.5.1.1-27758809) (-)
< Connection: keep-alive
< EJ-HOST: authorizr-prod-dc-us-west-3-k7nll
< X-Akamai-Request-ID: aa786d1
< 
<?xml version="1.0" encoding="UTF-8"?>
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
  <revision>1579196021</revision>
  <data type="primary">
    <checksum type="sha256">3b303348e77cd901b9969b1b366c456ea08f6822a32d4358dd6766c52fdaff8b</checksum>
    <open-checksum type="sha256">8583d5f1a9e0651a5eb42ffacead2382176018e2c603b4e3b93e4246b7635c3f</open-checksum>
    <location href="repodata/3b303348e77cd901b9969b1b366c456ea08f6822a32d4358dd6766c52fdaff8b-primary.xml.gz"/>
    <timestamp>1579195962</timestamp>
    <size>3751302</size>
    <open-size>28131917</open-size>
  </data>
  <data type="filelists">
    <checksum type="sha256">2925f8febbf41b816fa42d918be2c16d8f33210d640e55e50c64d963e2a90d7c</checksum>
    <open-checksum type="sha256">9b82ecad59d6337588121dc0f7fccfe98b145efbefd96d5cea32c997c98312a3</open-checksum>
    <location href="repodata/2925f8febbf41b816fa42d918be2c16d8f33210d640e55e50c64d963e2a90d7c-filelists.xml.gz"/>
    <timestamp>1579195958</timestamp>
    <size>9491343</size>
    <open-size>116140854</open-size>
  </data>
  <data type="other">
    <checksum type="sha256">a11f1d4b38be44effc73d5b580e805900820ec3a2e4e67cfa17d52d65e9ed818</checksum>
    <open-checksum type="sha256">65728566dd105e58299c6a42c50bd242d98831d10267f8cf48ed6ed9c7673adf</open-checksum>
    <location href="repodata/a11f1d4b38be44effc73d5b580e805900820ec3a2e4e67cfa17d52d65e9ed818-other.xml.gz"/>
    <timestamp>1579195960</timestamp>
    <size>36312002</size>
    <open-size>161238722</open-size>
  </data>
  <data type="primary_db">
    <checksum type="sha256">0c9317a339d2950214ec0088f56f3a1e72c777fa6caacf47478059bc94a81bbc</checksum>
    <open-checksum type="sha256">1019e34ccb02e88f78b5928fdf5a5ee3c02d9f05cafbf1bc07f0ddfb9f96accb</open-checksum>
    <location href="repodata/0c9317a339d2950214ec0088f56f3a1e72c777fa6caacf47478059bc94a81bbc-primary.sqlite.bz2"/>
    <timestamp>1579196006</timestamp>
    <size>6471299</size>
    <open-size>32912384</open-size>
    <database_version>10</database_version>
  </data>
  <data type="filelists_db">
    <checksum type="sha256">b6afcd795845988071db8f91711e59c065e5d2f16e98a5f00075005f3888ab27</checksum>
    <open-checksum type="sha256">6eec3f1f66f18a4e9b25522a9bf46cb4473cfd7b677775cd39b6ae77684e1e0f</open-checksum>
    <location href="repodata/b6afcd795845988071db8f91711e59c065e5d2f16e98a5f00075005f3888ab27-filelists.sqlite.bz2"/>
    <timestamp>1579196009</timestamp>
    <size>10447920</size>
    <open-size>54325248</open-size>
    <database_version>10</database_version>
  </data>
  <data type="other_db">
    <checksum type="sha256">6f9e41d066d3b8e6a4d180c47b43de88526f059ae877808c30aed6536535feb4</checksum>
    <open-checksum type="sha256">230b46440b3c5453bd337233d40091ec34c1f0dbddbbafb650826393aedd5582</open-checksum>
    <location href="repodata/6f9e41d066d3b8e6a4d180c47b43de88526f059ae877808c30aed6536535feb4-other.sqlite.bz2"/>
    <timestamp>1579196021</timestamp>
    <size>33768796</size>
    <open-size>155353088</open-size>
    <database_version>10</database_version>
  </data>
  <data type="group">
    <checksum type="sha256">aee6016df8ddce215d578834f8746f360c6b63094cfd450256cf0d607369d4bf</checksum>
    <location href="repodata/aee6016df8ddce215d578834f8746f360c6b63094cfd450256cf0d607369d4bf-comps.xml"/>
    <timestamp>1579195988</timestamp>
    <size>483958</size>
  </data>
  <data type="modules">
    <checksum type="sha256">55a3ae74e3c301f3acf5ed5c3f793ae4f72ebc9f939c9dec3f303ee00fe283ac</checksum>
    <open-checksum type="sha256">5633ea59277184a3d5686bba8235e1ea9270a2a59d2587381c73b20d02e9bf01</open-checksum>
    <location href="repodata/55a3ae74e3c301f3acf5ed5c3f793ae4f72ebc9f939c9dec3f303ee00fe283ac-modules.yaml.gz"/>
    <timestamp>1579195987</timestamp>
    <size>132610</size>
    <open-size>927048</open-size>
  </data>
  <data type="productid">
    <checksum type="sha256">bd1d68198db37ca5cf8189d8c5a86b311a80592376da5143e07f89f0a7d65dff</checksum>
    <location href="repodata/6cc49db2-0ac9-4b74-91f7-cf7c3b7c81e5"/>
    <timestamp>1572968952</timestamp>
    <size>2171</size>
  </data>
  <data type="updateinfo">
    <checksum type="sha256">3a40fcb4454762f6c4567ecb967727cc382152a9b8b4117a9d9739f3c4023446</checksum>
    <open-checksum type="sha256">f764ae7d8098a7dbf5280e8cb88d48eef8ca24d34a4c58a8a96c307cd4913255</open-checksum>
    <location href="repodata/3a40fcb4454762f6c4567ecb967727cc382152a9b8b4117a9d9739f3c4023446-updateinfo.xml.gz"/>
    <timestamp>1579195984</timestamp>
    <size>422375</size>
    <open-size>2679589</open-size>
  </data>
</repomd>
* Connection #0 to host cdn.redhat.com left intact

Environment

Red Hat Enterprise Linux 8

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content