From 7006798028f4b737ab8f8b5c84bfea2a64b7fbfc Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Tue, 22 Jan 2013 15:05:45 +0100 Subject: Raise key length defaults Extend RSA keylength to 2048 bits by default, as the previous default of 1024 bit is considered weak since 12/31/2010. Also unify the message_md to the openssl builtin default. Fixes bug 1103002 Change-Id: I70e90b7696f8a56073c3d6bdc9ed5d30cfa3401f --- doc/source/configuration.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 661723da..66908c09 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -168,7 +168,7 @@ The values that specify where to read the certificates are under the * ``keyfile`` - Location of private key used to sign tokens. Default is ``/etc/keystone/ssl/private/signing_key.pem`` * ``ca_certs`` - Location of certificate for the authority that issued the above certificate. Default is ``/etc/keystone/ssl/certs/ca.pem`` * ``ca_key`` - Default is ``/etc/keystone/ssl/certs/cakey.pem`` -* ``key_size`` - Default is ``1024`` +* ``key_size`` - Default is ``2048`` * ``valid_days`` - Default is ``3650`` * ``ca_password`` - Password required to read the ca_file. Default is None @@ -202,9 +202,9 @@ generate a PKCS #10 Certificate Request Syntax (CRS) using OpenSSL CLI. First create a certificate request configuration file (e.g. ``cert_req.conf``):: [ req ] - default_bits = 1024 + default_bits = 2048 default_keyfile = keystonekey.pem - default_md = sha1 + default_md = default prompt = no distinguished_name = distinguished_name @@ -223,7 +223,7 @@ key. Must use the -nodes option.** For example:: - openssl req -newkey rsa:1024 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes + openssl req -newkey rsa:2048 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes If everything is successfully, you should end up with ``signing_cert_req.pem`` -- cgit