diff options
author | Dirk Mueller <dirk@dmllr.de> | 2013-01-22 15:05:45 +0100 |
---|---|---|
committer | Dirk Mueller <dirk@dmllr.de> | 2013-06-04 23:45:49 +0200 |
commit | 7006798028f4b737ab8f8b5c84bfea2a64b7fbfc (patch) | |
tree | eba6b6c4d91e3293ec5cb683d6e8524479e8292b /doc | |
parent | cd349711bc6210bf35952c5f71bb92ab7676bd2d (diff) | |
download | keystone-7006798028f4b737ab8f8b5c84bfea2a64b7fbfc.tar.gz keystone-7006798028f4b737ab8f8b5c84bfea2a64b7fbfc.tar.xz keystone-7006798028f4b737ab8f8b5c84bfea2a64b7fbfc.zip |
Raise key length defaults
Extend RSA keylength to 2048 bits by default,
as the previous default of 1024 bit is considered
weak since 12/31/2010.
Also unify the message_md to the openssl builtin default.
Fixes bug 1103002
Change-Id: I70e90b7696f8a56073c3d6bdc9ed5d30cfa3401f
Diffstat (limited to 'doc')
-rw-r--r-- | doc/source/configuration.rst | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 661723da..66908c09 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -168,7 +168,7 @@ The values that specify where to read the certificates are under the * ``keyfile`` - Location of private key used to sign tokens. Default is ``/etc/keystone/ssl/private/signing_key.pem`` * ``ca_certs`` - Location of certificate for the authority that issued the above certificate. Default is ``/etc/keystone/ssl/certs/ca.pem`` * ``ca_key`` - Default is ``/etc/keystone/ssl/certs/cakey.pem`` -* ``key_size`` - Default is ``1024`` +* ``key_size`` - Default is ``2048`` * ``valid_days`` - Default is ``3650`` * ``ca_password`` - Password required to read the ca_file. Default is None @@ -202,9 +202,9 @@ generate a PKCS #10 Certificate Request Syntax (CRS) using OpenSSL CLI. First create a certificate request configuration file (e.g. ``cert_req.conf``):: [ req ] - default_bits = 1024 + default_bits = 2048 default_keyfile = keystonekey.pem - default_md = sha1 + default_md = default prompt = no distinguished_name = distinguished_name @@ -223,7 +223,7 @@ key. Must use the -nodes option.** For example:: - openssl req -newkey rsa:1024 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes + openssl req -newkey rsa:2048 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes If everything is successfully, you should end up with ``signing_cert_req.pem`` |