Configurable key types and signature algorithms for Teleport CAs #22505
Assignees
Labels
c-ju
Internal Customer Reference
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
to-be-reviewed
This issue needs to be reviewed by Engineering and Product
Comments
|
Hi, Would be very great combined with the possibility to use other keytypes as explained in #3489. |
|
For this and #3489 make sure to include plans/docs for how to migrate existing clusters to the new key types / algorithms. |
|
This is tracked in #28392 and support will be released in 17.0.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like Teleport to do?
When initializing or rotating the Teleport Certificate Authorities, it should be possible to specify the key size and algorithm used for the CAs.
What problem does this solve?
Some more restrictive TLS policies (RHEL 8's FUTURE policy, for example) require an RSA key to be larger than 2048 bits.
If a workaround exists, please include it.
No workaround. The 2048 bit key size is hardcoded for both software and PKCS certificate authority creation functions.
https://github.com/gravitational/teleport/blob/v12.0.4/api/constants/constants.go#L144
https://github.com/gravitational/teleport/blob/v12.0.4/lib/auth/native/native.go#L92
https://github.com/gravitational/teleport/blob/v12.0.4/lib/auth/keystore/pkcs11.go#L133
The text was updated successfully, but these errors were encountered: