Added RSA Key length (dsr8)
Modified the note to include <the certificate file> Removed trailing spaces and fixed Patchset 7 comments Updated Patchset 6 comments and removed the word platform Fixed formatting issues Updated Patchset 4 comments Added additional notes in multiple topics listed in the review Updated the Security / Upgrade Guide with a note Change-Id: If0a88e88268b2a4540b6abf97bc7b5ca9049747c Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com> Change-Id: I5686cda10f4ac9b184f5ac1e6ceec003b09155d2
This commit is contained in:
parent
0919b0d6c3
commit
cb0245cfab
@ -5,10 +5,20 @@
|
||||
=========================================
|
||||
Create Certificates Locally using openssl
|
||||
=========================================
|
||||
|
||||
|
||||
You can use :command:`openssl` to locally create certificates suitable for
|
||||
use in a lab environment.
|
||||
|
||||
.. note::
|
||||
|
||||
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
|
||||
requires a minimum of 2048-bit keys for RSA for better security / encryption
|
||||
strength.
|
||||
|
||||
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||
and looking for the "Public-Key" in the output.
|
||||
|
||||
.. rubric:: |proc|
|
||||
|
||||
.. _create-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb:
|
||||
@ -64,4 +74,3 @@ use in a lab environment.
|
||||
|
||||
$ cat my-server-cert.pem my-server-key.pem > my-server.pem
|
||||
|
||||
|
||||
|
@ -119,3 +119,14 @@ In addition, |prod| monitors the installed certificates on the system by raising
|
||||
alarms for expire-soon certificates and for expired certificates on the system,
|
||||
see :ref:`Expiring-Soon and Expired Certificate Alarms
|
||||
<alarm-expiring-soon-and-expired-certificates-baf5b8f73009>`.
|
||||
|
||||
.. note::
|
||||
|
||||
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
|
||||
requires a minimum of 2048-bit keys for RSA for better security / encryption
|
||||
strength.
|
||||
|
||||
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||
and looking for the "Public-Key" in the output. For more information see
|
||||
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||
|
@ -65,3 +65,14 @@ file, and copy the file to the controller host.
|
||||
MUST renew the certificate prior to expiry, otherwise a variety of system
|
||||
operations will fail.
|
||||
|
||||
.. note::
|
||||
|
||||
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
|
||||
requires a minimum of 2048-bit keys for RSA for better security / encryption
|
||||
strength.
|
||||
|
||||
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||
and looking for the "Public-Key" in the output. For more information see
|
||||
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||
|
||||
|
@ -103,6 +103,17 @@ and ``/etc/kubernetes/pki/ca.key``.
|
||||
existing certificate will ignore any arguments to generate a
|
||||
certificate.
|
||||
|
||||
.. note::
|
||||
|
||||
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||
|prod-long| Release |this-ver| provides a new version of ``openssl``
|
||||
which requires a minimum of 2048-bit keys for RSA for better
|
||||
security / encryption strength.
|
||||
|
||||
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||
and looking for the "Public-Key" in the output. For more information see
|
||||
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||
|
||||
#. Apply the strategy.
|
||||
|
||||
.. code-block::
|
||||
|
@ -52,6 +52,17 @@ value is the absolute path of the certificate file. The certificate
|
||||
must be in |PEM| format and the value must be provided as part of a pair
|
||||
with <k8s_root_ca_cert>.
|
||||
|
||||
.. note::
|
||||
|
||||
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
|
||||
requires a minimum of 2048-bit keys for RSA for better security / encryption
|
||||
strength.
|
||||
|
||||
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||
and looking for the "Public-Key" in the output. For more information see
|
||||
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||
|
||||
For example:
|
||||
|
||||
.. code-block:: none
|
||||
|
@ -92,6 +92,18 @@ controllers/subclouds.
|
||||
(self-signed, internal Root |CA|) or use an external Root
|
||||
|CA| that would make this an Intermediate |CA|.
|
||||
|
||||
.. note::
|
||||
|
||||
Ensure the certificates have RSA key length >= 2048 bits before
|
||||
migrating to |prod-long| Release |this-ver|. The |prod-long| Release
|
||||
|this-ver| provides a new version of ``openssl`` which requires a
|
||||
minimum of 2048-bit keys for RSA for better security / encryption
|
||||
strength.
|
||||
|
||||
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||
and looking for the "Public-Key" in the output. For more information see
|
||||
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||
|
||||
``system_root_ca_cert``
|
||||
The Root |CA| that signed ``system_local_ca_cert``. If
|
||||
``system_local_ca_cert`` is a self-signed, internal Root |CA|
|
||||
|
@ -99,6 +99,17 @@ above certificate.
|
||||
``<pathTocertificateAndKey>``
|
||||
is the path to the file containing both the Docker registry's
|
||||
Intermediate or Root CA-signed certificate and private key to install.
|
||||
|
||||
.. note::
|
||||
|
||||
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||
|prod-long| Release |this-ver| provides a new version of ``openssl``
|
||||
which requires a minimum of 2048-bit keys for RSA for better
|
||||
security / encryption strength.
|
||||
|
||||
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||
and looking for the "Public-Key" in the output. For more information see
|
||||
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||
|
||||
Refer to :ref:`Install/Update Local Registry Certificates
|
||||
<installing-updating-the-docker-registry-certificate>` on how to install/update
|
||||
|
@ -122,6 +122,17 @@ certificates.
|
||||
|
||||
#. Copy the |PEM| encoded certificate and key from the externally generated
|
||||
|CA| to the controller host.
|
||||
|
||||
.. note::
|
||||
|
||||
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||
|prod-long| Release |this-ver| provides a new version of ``openssl``
|
||||
which requires a minimum of 2048-bit keys for RSA for better
|
||||
security / encryption strength.
|
||||
|
||||
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||
and looking for the "Public-Key" in the output. For more information see
|
||||
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||
|
||||
#. Create a |TLS| secret in ``cert-manager`` namespace with the certificate/Key
|
||||
files:
|
||||
|
Loading…
Reference in New Issue
Block a user