Red Hat Enterprise Linux 8 clients with FUTURE policy get error: EE certificate key too weak

Solution Verified - Updated -


“The FUTURE policy provides additional hardening of the system. It is a conservative security level that is believed to withstand any near-term future attacks. The policy is not supposed to be used for general purpose systems.”


In order for Red Hat Satellite server to communicate with clients, the following is required to be on the client:
1. CA Certificate from Red Hat Satellite (downloaded with curl --insecure before registration)
2. Identity certificate signed by Red Hat Satellite CA (obtained thru subscription-manager register)
3. Entitlement certificates for each subscription


On Red Hat Enterprise Linux 8 clients with a crypto policy of FUTURE, the 2048-bit RSA certificates generated by Red Hat Satellite are not sufficient. They must be at least 3072 bits (see Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms)

For new Satellite installations (Red Hat Satellite 6.8 and newer), the katello-certs-tools package has already been updated to generate 4096-bit certificates. The problem is how to handle existing and upgraded Red Hat Satellite installations when Red Hat Enterprise Linux 8 clients need to use the FUTURE policy.


  • Red Hat Satellite 6.7 or older (new installations)
  • Red Hat Satellite 6 any version (upgraded installations)
  • At least one Red Hat Enterprise 8 client with FUTURE crypto policies

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content