Red Hat Enterprise Linux 8 clients with FUTURE policy get error: EE certificate key too weak

Issue

“The FUTURE policy provides additional hardening of the system. It is a conservative security level that is believed to withstand any near-term future attacks. The policy is not supposed to be used for general purpose systems.”

Background

• Original BZ
• Detailed description of FUTURE policy
• General overview of crypto policies in Red Hat Enterprise Linux 8

In order for Red Hat Satellite server to communicate with clients, the following is required to be on the client:
1. CA Certificate from Red Hat Satellite (downloaded with curl --insecure before registration)
2. Identity certificate signed by Red Hat Satellite CA (obtained thru subscription-manager register)
3. Entitlement certificates for each subscription

Problem

On Red Hat Enterprise Linux 8 clients with a crypto policy of FUTURE, the 2048-bit RSA certificates generated by Red Hat Satellite are not sufficient. They must be at least 3072 bits (see Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms)

For new Satellite installations (Red Hat Satellite 6.8 and newer), the katello-certs-tools package has already been updated to generate 4096-bit certificates. The problem is how to handle existing and upgraded Red Hat Satellite installations when Red Hat Enterprise Linux 8 clients need to use the FUTURE policy.