Proposed title of this feature request
Service serving certificate uses legacy PKCS#1 private key format, Future move from PKCS#1 to PKCS#8 private keys is desired.
What is the nature and description of the request?
When annotating a service with service.beta.openshift.io/serving-cert-secret-name [1] the created secret contains a PKCS#1 private key. PKCS#1 has long been superseded by PKCS#8 which allows algorithms other than RSA, and some applications no longer support PKCS#1. Please switch this to PKCS#8, or provide an option to generate PKCS#8 private keys. [1] https://docs.openshift.com/container-platform/4.6/security/certificates/service-serving-certificate.html
Setting the service.beta.openshift.io/serving-cert-secret-name annotation results in a PKCS#1 private key being generated in the secret. PKCS#1 only supports RSA private keys and is no longer supported by some applications (eg. logstash) which now expect the more modern PKCS#8 format for private keys.
Certificates are generated using the crypto/x509 library from go runtime (https://github.com/openshift/service-ca-operator/blob/master/pkg/operator/util/cert.go).
Why does the customer need this? (List the business requirements here)
Security purposes around certificates.
List any affected packages or components.
- GO
- service-ca-operator
- is incorporated by
-
OCPSTRAT-705 Enhanced encryption key format on service-ca
- New
- links to