-
Task
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
None
-
5
-
False
-
-
False
-
Testable
-
?
-
?
-
rhel-cockpit
-
?
-
-
-
26Q1 - Feb 18
This is the third bullet point of RHELMISC-11973. The first two are covered by COCKPIT-1739. This is currently contentious, and being discussed in RHELMISC-11973.
Our certificate generation still hardcodes to RSA, for full PQ we need to generate two certificate pairs, one RSA and one PQ. PQ can be generated with:
openssl req \
-x509 \
-newkey mldsa65 \
-keyout localhost-mldsa.key \
-subj /CN=localhost \
-addext subjectAltName=DNS:localhost \
-days 30 \
-nodes \
-out localhost-mldsa.crt
sscg 4.x now supports post quantum certificate generation:
sscg --lifetime 90 --key-type=mldsa --cert-key-file mldsa.key --cert-file mldsa.crt --ca-file mldsa-ca.pem --hostname abakus --organization "${MACHINE_ID:-unspecified}" --subject-alt-name localhost --subject-alt-name IP:127.0.0.1/255.255.255.255
For testing purposes: it also supports --key-type=ecdsa.
Our webserver also has to support loading multiple certificates to such as the openssl server example
openssl s_server \
-cert localhost-mldsa.crt -key localhost-mldsa.key \
-dcert localhost-rsa.crt -dkey localhost-rsa.key
- is blocked by
-
RHEL-123675 Update to SSCG 4.0
-
- Release Pending
-
-
-
- Closed
-
- is duplicated by
-
-
- Closed
-