Red Hat Enterprise Linux 8 clients with FUTURE policy get error: EE certificate key too weak
Issue
“The FUTURE policy provides additional hardening of the system. It is a conservative security level that is believed to withstand any near-term future attacks. The policy is not supposed to be used for general purpose systems.”
Background
- Original BZ
- Detailed description of FUTURE policy
- General overview of crypto policies in Red Hat Enterprise Linux 8
In order for Red Hat Satellite server to communicate with clients, the following is required to be on the client:
1. CA Certificate from Red Hat Satellite (downloaded with curl --insecure
before registration)
2. Identity certificate signed by Red Hat Satellite CA (obtained thru subscription-manager register
)
3. Entitlement certificates for each subscription
Problem
On Red Hat Enterprise Linux 8 clients with a crypto policy of FUTURE, the 2048-bit RSA certificates generated by Red Hat Satellite are not sufficient. They must be at least 3072 bits (see Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms)
For new Satellite installations (Red Hat Satellite 6.8 and newer), the katello-certs-tools
package has already been updated to generate 4096-bit certificates. The problem is how to handle existing and upgraded Red Hat Satellite installations when Red Hat Enterprise Linux 8 clients need to use the FUTURE policy.
Environment
- Red Hat Satellite 6.7 or older (new installations)
- Red Hat Satellite 6 any version (upgraded installations)
- At least one Red Hat Enterprise 8 client with FUTURE crypto policies
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.