diff options
| author | Dirk Mueller <dirk@dmllr.de> | 2013-07-09 17:04:55 +0200 |
|---|---|---|
| committer | Dirk Mueller <dirk@dmllr.de> | 2013-07-09 17:42:50 +0200 |
| commit | 3f1415026b2d1d00f71a906c84846ba56af1b56a (patch) | |
| tree | 36699ab9802b48603ed3609cc14a1ed029d757e1 /examples/pki/gen_pki.sh | |
| parent | 6d0afcc98e3df36f9b57642daef25d4d3091acf7 (diff) | |
| download | python-keystoneclient-3f1415026b2d1d00f71a906c84846ba56af1b56a.tar.gz | |
Raise key length defaults
Extend RSA keylength to 2048 bits by default,
as the previous default of 1024 bit is considered
weak since 12/31/2010.
Also unify the message_md to the openssl builtin
default.
Fixes bug 1103002
Change-Id: I619fc32b62beab4458ee6f21bf8dc7499fe400d7
Diffstat (limited to 'examples/pki/gen_pki.sh')
| -rwxr-xr-x | examples/pki/gen_pki.sh | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/examples/pki/gen_pki.sh b/examples/pki/gen_pki.sh index 1e4fd2a..6beb3b8 100755 --- a/examples/pki/gen_pki.sh +++ b/examples/pki/gen_pki.sh @@ -40,9 +40,9 @@ function cleanup { function generate_ca_conf { echo ' [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = cakey.pem -default_md = sha1 +default_md = default prompt = no distinguished_name = ca_distinguished_name @@ -67,9 +67,9 @@ basicConstraints = critical,CA:true function generate_ssl_req_conf { echo ' [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = keystonekey.pem -default_md = sha1 +default_md = default prompt = no distinguished_name = distinguished_name @@ -88,9 +88,9 @@ emailAddress = keystone@openstack.org function generate_cms_signing_req_conf { echo ' [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = keystonekey.pem -default_md = sha1 +default_md = default prompt = no distinguished_name = distinguished_name @@ -122,7 +122,7 @@ private_key = $dir/private/cakey.pem default_days = 21360 default_crl_days = 30 -default_md = sha1 +default_md = default policy = policy_any @@ -157,14 +157,14 @@ function check_error { function generate_ca { echo 'Generating New CA Certificate ...' - openssl req -x509 -newkey rsa:1024 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes + openssl req -x509 -newkey rsa:2048 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes check_error $? } function ssl_cert_req { echo 'Generating SSL Certificate Request ...' generate_ssl_req_conf - openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes + openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes check_error $? #openssl req -in req.pem -text -noout } @@ -172,7 +172,7 @@ function ssl_cert_req { function cms_signing_cert_req { echo 'Generating CMS Signing Certificate Request ...' generate_cms_signing_req_conf - openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes + openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes check_error $? #openssl req -in req.pem -text -noout } |