Configure RSA key size 1024 but default getting restores to 2048
Environment
- Red Hat Enterprise Linux
- 8.x
Issue
- How to configure crypto policy RSA key size to 1024 ?
Resolution
- Standard default policy requires 2048 key size.
LEGACY DEFAULT FIPS
RSA min.1024-bit min.2048-bit min.2048-bit
In the Default mode the RSA keys are accepted if they are at least 2048 bits long.
- If application requires 1024 key size then must need to break the policy and create the custom pmod file as example below.
[root@localhost ~]# cat /etc/crypto-policies/policies/modules/RSA1024.pmod
min_rsa_size = 1024
Then apply it:
[root@localhost ~]# update-crypto-policies --show
DEFAULT
[root@localhost ~]# cat /etc/crypto-policies/back-ends/java.config
jdk.tls.ephemeralDHKeySize=2048
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
jdk.tls.legacyAlgorithms=
[root@localhost ~]# update-crypto-policies --set DEFAULT:RSA1024
Setting system policy to DEFAULT:RSA1024
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@localhost ~]# shutdown -r now
(log in again after a while)
[root@localhost ~]# update-crypto-policies --show
DEFAULT:RSA1024
Note: It is recommended to update your application to accept 2048 size because 1024 keys size is no longer considered secure due to vulnerabilities.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments