Undefined What were you trying to do that didn't work?
OpenSSL clients such as cockpit-ws and tog-pegasus rely on the openssl req or openssl genrsa commands to generate self-signed certificates.
For this, they pass their own configuration snippet as -config argument, e.g. for cockpit-ws (/usr/libexec/cockpit-certificate-helper):
openssl req -x509 \
-days "${DAYS}" \
-newkey rsa \
-keyout "${KEYFILE}" \
-keyform PEM \
-nodes \
-out "${CERTFILE}" \
-outform PEM \
-subj "${MACHINE_ID:+/O=${MACHINE_ID}}/CN=${HOSTNAME}" \
-config - \
-extensions v3_req << EOF
[ req ]
req_extensions = v3_req
extensions = v3_req
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ v3_req ]
subjectAltName=IP:127.0.0.1,DNS:localhost
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature,cRLSign,keyCertSign,keyEncipherment,keyAgreement
extendedKeyUsage = serverAuth
EOF
It appears that using such snippet makes the default configuration file be loaded, as seen with stracing the command, but not be taken into account.
For example, as a workaround for RHEL-81724, I modified /etc/pki/tls/openssl.cnf to force generating 3072 bits RSA key:
[ req ] #default_bits = 2048 default_bits = 3072
With this, executing the command to generate the certificate shows a RSA key of 2048 bits being generated, instead of expected 3072 bits:
# yum -y install cockpit-ws
# rm /etc/cockpit/ws-certs.d/0-self-signed.* || true
# /usr/libexec/cockpit-certificate-helper selfsign
# ssh-keygen -l -f /etc/cockpit/ws-certs.d/0-self-signed.key
2048 SHA256:NJhbGGQYMSAjI7+oVeaArx0oX2xw4581y2oQhWQ9D6M no comment (RSA)
What is the impact of this issue to you?
OpenSSL clients using openssl genrsa,req cannot know which key size is suitable, since it depends on the Crypto Policy configuration. This "bug" makes it difficult to generate appropriate keys and certificates.
Please provide the package NVR for which the bug is seen:
openssl-3.2.2-6.el9_5.x86_64
How reproducible is this bug?:
Always, see above