Description of problem:

If the crypto policy on RHCOS nodes is set to "FUTURE", ipsec cannot start because of errors like: 

sh-5.1# journalctl -u ipsec --no-pager |grep ERROR |tail -1
Aug 12 11:40:17 worker-0.example.com pluto[40873]: "ovn-bd7af8-0-out-1" #255: NSS: ERROR: IPsec certificate CN=openshift-ovn-kubernetes_signer-ca@1723451186 invalid: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: The certificate was signed using a signature algorithm that is disabled because it is not secure. 

In particular if the policy was changed before an upgrade from 4.14 to 4.15 the IPSec unexpectedly stop to work.

Version-Release number of selected component (if applicable):

4.16, 4.15

How reproducible:

100% always

Steps to Reproduce:

1. Set the crypto policy to "FUTURE" on the RHCOS nodes, for example by running `update-crypto-policies --set FUTURE` and then rebooting the nodes.

2. Enable IPSec in the cluster in "mode: Full".

3. IPSec pods are not able to start.

Actual results:

After enabling IPsec certificates are not generated or recreated with an accepted signing algorithm causing IPsec to start but not able to sue the certificate. The certificate is signed with "sha512WithRSAEncryption" algorithm.

Expected results:

The IPSEC configuration should work since the documentation reports that RHCOS can be hardened as any RHEL machine:

• https://docs.openshift.com/container-platform/4.16/security/container_security/security-hardening.html

Additional info:

This issue was reported by a customer but is also easily reproducible in a lab. Reverting the crypto policy to "DEFAULT" is a tested workaround.