Added RSA Key length (dsr8)
Modified the note to include <the certificate file> Removed trailing spaces and fixed Patchset 7 comments Updated Patchset 6 comments and removed the word platform Fixed formatting issues Updated Patchset 4 comments Added additional notes in multiple topics listed in the review Updated the Security / Upgrade Guide with a note Change-Id: If0a88e88268b2a4540b6abf97bc7b5ca9049747c Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com> Change-Id: I5686cda10f4ac9b184f5ac1e6ceec003b09155d2
This commit is contained in:
parent
0919b0d6c3
commit
cb0245cfab
@ -5,10 +5,20 @@
|
|||||||
=========================================
|
=========================================
|
||||||
Create Certificates Locally using openssl
|
Create Certificates Locally using openssl
|
||||||
=========================================
|
=========================================
|
||||||
|
|
||||||
You can use :command:`openssl` to locally create certificates suitable for
|
You can use :command:`openssl` to locally create certificates suitable for
|
||||||
use in a lab environment.
|
use in a lab environment.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||||
|
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
|
||||||
|
requires a minimum of 2048-bit keys for RSA for better security / encryption
|
||||||
|
strength.
|
||||||
|
|
||||||
|
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||||
|
and looking for the "Public-Key" in the output.
|
||||||
|
|
||||||
.. rubric:: |proc|
|
.. rubric:: |proc|
|
||||||
|
|
||||||
.. _create-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb:
|
.. _create-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb:
|
||||||
@ -64,4 +74,3 @@ use in a lab environment.
|
|||||||
|
|
||||||
$ cat my-server-cert.pem my-server-key.pem > my-server.pem
|
$ cat my-server-cert.pem my-server-key.pem > my-server.pem
|
||||||
|
|
||||||
|
|
||||||
|
@ -119,3 +119,14 @@ In addition, |prod| monitors the installed certificates on the system by raising
|
|||||||
alarms for expire-soon certificates and for expired certificates on the system,
|
alarms for expire-soon certificates and for expired certificates on the system,
|
||||||
see :ref:`Expiring-Soon and Expired Certificate Alarms
|
see :ref:`Expiring-Soon and Expired Certificate Alarms
|
||||||
<alarm-expiring-soon-and-expired-certificates-baf5b8f73009>`.
|
<alarm-expiring-soon-and-expired-certificates-baf5b8f73009>`.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||||
|
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
|
||||||
|
requires a minimum of 2048-bit keys for RSA for better security / encryption
|
||||||
|
strength.
|
||||||
|
|
||||||
|
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||||
|
and looking for the "Public-Key" in the output. For more information see
|
||||||
|
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||||
|
@ -65,3 +65,14 @@ file, and copy the file to the controller host.
|
|||||||
MUST renew the certificate prior to expiry, otherwise a variety of system
|
MUST renew the certificate prior to expiry, otherwise a variety of system
|
||||||
operations will fail.
|
operations will fail.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||||
|
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
|
||||||
|
requires a minimum of 2048-bit keys for RSA for better security / encryption
|
||||||
|
strength.
|
||||||
|
|
||||||
|
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||||
|
and looking for the "Public-Key" in the output. For more information see
|
||||||
|
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||||
|
|
||||||
|
@ -103,6 +103,17 @@ and ``/etc/kubernetes/pki/ca.key``.
|
|||||||
existing certificate will ignore any arguments to generate a
|
existing certificate will ignore any arguments to generate a
|
||||||
certificate.
|
certificate.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||||
|
|prod-long| Release |this-ver| provides a new version of ``openssl``
|
||||||
|
which requires a minimum of 2048-bit keys for RSA for better
|
||||||
|
security / encryption strength.
|
||||||
|
|
||||||
|
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||||
|
and looking for the "Public-Key" in the output. For more information see
|
||||||
|
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||||
|
|
||||||
#. Apply the strategy.
|
#. Apply the strategy.
|
||||||
|
|
||||||
.. code-block::
|
.. code-block::
|
||||||
|
@ -52,6 +52,17 @@ value is the absolute path of the certificate file. The certificate
|
|||||||
must be in |PEM| format and the value must be provided as part of a pair
|
must be in |PEM| format and the value must be provided as part of a pair
|
||||||
with <k8s_root_ca_cert>.
|
with <k8s_root_ca_cert>.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||||
|
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
|
||||||
|
requires a minimum of 2048-bit keys for RSA for better security / encryption
|
||||||
|
strength.
|
||||||
|
|
||||||
|
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||||
|
and looking for the "Public-Key" in the output. For more information see
|
||||||
|
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||||
|
|
||||||
For example:
|
For example:
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
@ -92,6 +92,18 @@ controllers/subclouds.
|
|||||||
(self-signed, internal Root |CA|) or use an external Root
|
(self-signed, internal Root |CA|) or use an external Root
|
||||||
|CA| that would make this an Intermediate |CA|.
|
|CA| that would make this an Intermediate |CA|.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Ensure the certificates have RSA key length >= 2048 bits before
|
||||||
|
migrating to |prod-long| Release |this-ver|. The |prod-long| Release
|
||||||
|
|this-ver| provides a new version of ``openssl`` which requires a
|
||||||
|
minimum of 2048-bit keys for RSA for better security / encryption
|
||||||
|
strength.
|
||||||
|
|
||||||
|
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||||
|
and looking for the "Public-Key" in the output. For more information see
|
||||||
|
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||||
|
|
||||||
``system_root_ca_cert``
|
``system_root_ca_cert``
|
||||||
The Root |CA| that signed ``system_local_ca_cert``. If
|
The Root |CA| that signed ``system_local_ca_cert``. If
|
||||||
``system_local_ca_cert`` is a self-signed, internal Root |CA|
|
``system_local_ca_cert`` is a self-signed, internal Root |CA|
|
||||||
|
@ -99,6 +99,17 @@ above certificate.
|
|||||||
``<pathTocertificateAndKey>``
|
``<pathTocertificateAndKey>``
|
||||||
is the path to the file containing both the Docker registry's
|
is the path to the file containing both the Docker registry's
|
||||||
Intermediate or Root CA-signed certificate and private key to install.
|
Intermediate or Root CA-signed certificate and private key to install.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||||
|
|prod-long| Release |this-ver| provides a new version of ``openssl``
|
||||||
|
which requires a minimum of 2048-bit keys for RSA for better
|
||||||
|
security / encryption strength.
|
||||||
|
|
||||||
|
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||||
|
and looking for the "Public-Key" in the output. For more information see
|
||||||
|
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||||
|
|
||||||
Refer to :ref:`Install/Update Local Registry Certificates
|
Refer to :ref:`Install/Update Local Registry Certificates
|
||||||
<installing-updating-the-docker-registry-certificate>` on how to install/update
|
<installing-updating-the-docker-registry-certificate>` on how to install/update
|
||||||
|
@ -122,6 +122,17 @@ certificates.
|
|||||||
|
|
||||||
#. Copy the |PEM| encoded certificate and key from the externally generated
|
#. Copy the |PEM| encoded certificate and key from the externally generated
|
||||||
|CA| to the controller host.
|
|CA| to the controller host.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||||
|
|prod-long| Release |this-ver| provides a new version of ``openssl``
|
||||||
|
which requires a minimum of 2048-bit keys for RSA for better
|
||||||
|
security / encryption strength.
|
||||||
|
|
||||||
|
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||||
|
and looking for the "Public-Key" in the output. For more information see
|
||||||
|
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||||
|
|
||||||
#. Create a |TLS| secret in ``cert-manager`` namespace with the certificate/Key
|
#. Create a |TLS| secret in ``cert-manager`` namespace with the certificate/Key
|
||||||
files:
|
files:
|
||||||
|
Loading…
Reference in New Issue
Block a user