From 7006798028f4b737ab8f8b5c84bfea2a64b7fbfc Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dirk@dmllr.de>
Date: Tue, 22 Jan 2013 15:05:45 +0100
Subject: Raise key length defaults

Extend RSA keylength to 2048 bits by default,
as the previous default of 1024 bit is considered
weak since 12/31/2010.

Also unify the message_md to the openssl builtin default.

Fixes bug 1103002

Change-Id: I70e90b7696f8a56073c3d6bdc9ed5d30cfa3401f
---
 examples/pki/gen_pki.sh | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

(limited to 'examples')

diff --git a/examples/pki/gen_pki.sh b/examples/pki/gen_pki.sh
index 9bf6c3225..002ca89cc 100755
--- a/examples/pki/gen_pki.sh
+++ b/examples/pki/gen_pki.sh
@@ -40,9 +40,9 @@ function cleanup {
 function generate_ca_conf {
   echo '
 [ req ]
-default_bits            = 1024
+default_bits            = 2048
 default_keyfile         = cakey.pem
-default_md              = sha1
+default_md              = default
 
 prompt                  = no
 distinguished_name      = ca_distinguished_name
@@ -67,9 +67,9 @@ basicConstraints        = critical,CA:true
 function generate_ssl_req_conf {
   echo '
 [ req ]
-default_bits            = 1024
+default_bits            = 2048
 default_keyfile         = keystonekey.pem
-default_md              = sha1
+default_md              = default
 
 prompt                  = no
 distinguished_name      = distinguished_name
@@ -88,9 +88,9 @@ emailAddress            = keystone@openstack.org
 function generate_cms_signing_req_conf {
   echo '
 [ req ]
-default_bits            = 1024
+default_bits            = 2048
 default_keyfile         = keystonekey.pem
-default_md              = sha1
+default_md              = default
 
 prompt                  = no
 distinguished_name      = distinguished_name
@@ -122,7 +122,7 @@ private_key     = $dir/private/cakey.pem
 
 default_days            = 21360
 default_crl_days        = 30
-default_md              = sha1
+default_md              = default
 
 policy                  = policy_any
 
@@ -157,14 +157,14 @@ function check_error {
 
 function generate_ca {
   echo 'Generating New CA Certificate ...'
-  openssl req -x509 -newkey rsa:1024 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
+  openssl req -x509 -newkey rsa:2048 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
   check_error $?
 }
 
 function ssl_cert_req {
   echo 'Generating SSL Certificate Request ...'
   generate_ssl_req_conf
-  openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes
+  openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes
   check_error $?
   #openssl req -in req.pem -text -noout
 }
@@ -172,7 +172,7 @@ function ssl_cert_req {
 function cms_signing_cert_req {
   echo 'Generating CMS Signing Certificate Request ...'
   generate_cms_signing_req_conf
-  openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes
+  openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes
   check_error $?
   #openssl req -in req.pem -text -noout
 }
-- 
cgit v1.2.1