Univention Bugzilla – Bug 30545
univention-certificate - defaults bits for key should be configurable
Last modified: 2014-10-30 14:11:40 CET
The default bit number for keys should be configurable via UCR. This time it is hard coded in the /usr/share/univention-ssl/make-certificates.sh script (around line 419). For some applications e.g. SCUP (Microsoft SCCM update publisher) one need a key length >=2048 bits.
Same issue here, certificate authorities will not sign keys shorter than 2048 bits!
Created attachment 5229 [details] Increase certificate length to 2048 bit Attention, after applying the patch, CA and certificates need to be recreated!
In light of Bug #35836 it might also be worth considering fixing this bug as well.
*** Bug 35588 has been marked as a duplicate of this bug. ***
Please fix it together with Bug #35836.
added ssl/default/bits and changed default to 2048 YAML: 2014-10-15-univention-ssl.yaml
*** Bug 36176 has been marked as a duplicate of this bug. ***
OK: r54453 RFC: openssl.cnf [CA_default] default_md=sha1 [req] default_bits=1024 This file is unused, as a file with the same name is generated by make-certificates.sh each time. IMHO it should be removed from the source code to reduce further confusion. RFA: 2014-10-15-univention-ssl.yaml The default key size has been changed to 2048 [+bits+] (configurable via [+UCR variable+] ssl/default/bits) IMHO "bits" is too generic; perhaps "keysize"? FYI: Description[de]: 'Default' is a German word since 2006: <http://www.duden.de/rechtschreibung/Default> OK: annouce_errata -V 2014-10-15-univention-ssl.yaml OK: /usr/sbin/univention-certificate new -name test -days 365 openssl x509 -noout -text -in /etc/univention/ssl/test/cert.pem RSA Public Key: (2048 bit)
(In reply to Philipp Hahn from comment #8) > OK: r54453 > > RFC: openssl.cnf > [CA_default] default_md=sha1 > [req] default_bits=1024 > This file is unused, as a file with the same name is generated by > make-certificates.sh each time. IMHO it should be removed from the source > code to reduce further confusion. removed > > RFA: 2014-10-15-univention-ssl.yaml > The default key size has been changed to 2048 [+bits+] > (configurable via [+UCR variable+] ssl/default/bits) > > IMHO "bits" is too generic; perhaps "keysize"? > > FYI: Description[de]: 'Default' is a German word since 2006: > <http://www.duden.de/rechtschreibung/Default> fixed, YAML updated, see 2014-10-15-univention-ssl.yaml Merged to 4.0-
OK: UCS-3.2-3: r55085,r55095,r55098 OK: UCS-4.0-0: r55055,r55086,r55096,r55099 OK: openssl.cnf removed OK: ucr info ssl/default/bits OK: annouce_errata -V 2014-10-15-univention-ssl.yaml OK: piuparts-test 2014-10-15-univention-ssl.yaml OK: RSA Public Key: (2048 bit) OK: Signature Algorithm: sha1WithRSAEncryption OK: UCS-4.0-0 merge
http://errata.univention.de/ucs/3.2/227.html