Proposed title of this feature request

Service serving certificate uses legacy PKCS#1 private key format, Future move from PKCS#1 to PKCS#8 private keys is desired. 

What is the nature and description of the request?

When annotating a service with service.beta.openshift.io/serving-cert-secret-name [1] the created secret contains a PKCS#1 private key. PKCS#1 has long been superseded by PKCS#8 which allows algorithms other than RSA, and some applications no longer support PKCS#1. Please switch this to PKCS#8, or provide an option to generate PKCS#8 private keys. [1] https://docs.openshift.com/container-platform/4.6/security/certificates/service-serving-certificate.html

Setting the service.beta.openshift.io/serving-cert-secret-name annotation results in a PKCS#1 private key being generated in the secret. PKCS#1 only supports RSA private keys and is no longer supported by some applications (eg. logstash) which now expect the more modern PKCS#8 format for private keys.

Certificates are generated using the crypto/x509 library from go runtime (https://github.com/openshift/service-ca-operator/blob/master/pkg/operator/util/cert.go).

Why does the customer need this? (List the business requirements here)

Security purposes around certificates.

List any affected packages or components.

• GO
• service-ca-operator