From e60ba45e00539d49b7a305165c08c01a17140d0b Mon Sep 17 00:00:00 2001 From: mich-elle-luna Date: Tue, 24 Jun 2025 14:10:45 -0700 Subject: [PATCH 1/5] Add RHEL 8 crypto policy limitation for certificate key sizes - Document that FUTURE crypto policy rejects certificates with keys < 3072 bits - Explain impact on users with custom 2048-bit certificates - Provide guidance to change policy from FUTURE to DEFAULT - Include reference to Red Hat crypto policy documentation Addresses DOC-1629 --- content/embeds/supported-platforms-embed.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/content/embeds/supported-platforms-embed.md b/content/embeds/supported-platforms-embed.md index 3aa9958a37..6a0a089c7e 100644 --- a/content/embeds/supported-platforms-embed.md +++ b/content/embeds/supported-platforms-embed.md @@ -76,7 +76,13 @@ The RHEL-compatible distributions CentOS, CentOS Stream, Alma Linux, Rocky Linux ### TLS 1.0 and TLS 1.1 -Redis Enterprise Software version 6.2.8 removed support for TLS 1.0 and TLS 1.1 on Red Hat Enterprise Linux 8 (RHEL 8) because that operating system [does not enable support](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening) for these versions by default. +Redis Enterprise Software version 6.2.8 removed support for TLS 1.0 and TLS 1.1 on Red Hat Enterprise Linux 8 (RHEL 8) because that operating system [does not enable support](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening) for these versions by default. + +### RHEL 8 crypto policy and certificate key size + +In RHEL 8, if the crypto policy is set to `FUTURE`, the system will not accept certificates with private key sizes smaller than 3072 bits. This affects users who use custom certificates with smaller keys (such as 2048-bit keys). + +If you want to continue using certificates with smaller key sizes, you need to change the crypto policy from `FUTURE` to `DEFAULT`. For more information about crypto policies, see the [Red Hat documentation on system-wide cryptographic policies](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening). ### Ubuntu 20 rejects SHA1 certificates From a2c77f88a67169916cef17ca9c2914544e2c7243 Mon Sep 17 00:00:00 2001 From: mich-elle-luna <153109578+mich-elle-luna@users.noreply.github.com> Date: Wed, 25 Jun 2025 16:35:28 -0700 Subject: [PATCH 2/5] Update content/embeds/supported-platforms-embed.md Co-authored-by: Rachel Elledge <86307637+rrelledge@users.noreply.github.com> --- content/embeds/supported-platforms-embed.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/embeds/supported-platforms-embed.md b/content/embeds/supported-platforms-embed.md index 6a0a089c7e..c6709376bb 100644 --- a/content/embeds/supported-platforms-embed.md +++ b/content/embeds/supported-platforms-embed.md @@ -82,7 +82,7 @@ Redis Enterprise Software version 6.2.8 removed support for TLS 1.0 and TLS 1.1 In RHEL 8, if the crypto policy is set to `FUTURE`, the system will not accept certificates with private key sizes smaller than 3072 bits. This affects users who use custom certificates with smaller keys (such as 2048-bit keys). -If you want to continue using certificates with smaller key sizes, you need to change the crypto policy from `FUTURE` to `DEFAULT`. For more information about crypto policies, see the [Red Hat documentation on system-wide cryptographic policies](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening). +To use certificates with smaller key sizes, you need to change the crypto policy from `FUTURE` to `DEFAULT`. For more information about crypto policies, see the [Red Hat documentation on system-wide cryptographic policies](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening). ### Ubuntu 20 rejects SHA1 certificates From a8821141d86460af3a431149700fd7820043423b Mon Sep 17 00:00:00 2001 From: mich-elle-luna <153109578+mich-elle-luna@users.noreply.github.com> Date: Tue, 8 Jul 2025 11:16:20 -0700 Subject: [PATCH 3/5] Update updating-certificates.md --- .../rs/security/certificates/updating-certificates.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/operate/rs/security/certificates/updating-certificates.md b/content/operate/rs/security/certificates/updating-certificates.md index ffab97a185..5093fca4a5 100644 --- a/content/operate/rs/security/certificates/updating-certificates.md +++ b/content/operate/rs/security/certificates/updating-certificates.md @@ -141,3 +141,9 @@ To update your syncer certificate on clusters running Active-Active databases, f - Run step 2 as quickly as possible after step 1. Between the two steps, new syncer connections that use the ‘old’ certificate will get rejected by the cluster that has been updated with the new certificate (in step 1).
- Do not run any other `crdb-cli crdb update` operations between the two steps.
{{}} + +### Troubleshoot RHEL 8 crypto policy and certificate key size + +In RHEL 8, if the crypto policy is set to `FUTURE`, the system will not accept certificates with private key sizes smaller than 3072 bits. This affects the use of custom certificates with smaller keys (such as 2048-bit keys). + +To use certificates with smaller key sizes, you need to change the crypto policy from `FUTURE` to `DEFAULT`. For more information about crypto policies, see the [Red Hat documentation on system-wide cryptographic policies](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening). From e12df67fb94a239a6f43a0801455131fc0525a9e Mon Sep 17 00:00:00 2001 From: mich-elle-luna <153109578+mich-elle-luna@users.noreply.github.com> Date: Tue, 8 Jul 2025 11:20:37 -0700 Subject: [PATCH 4/5] Update supported-platforms-embed.md --- content/embeds/supported-platforms-embed.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/embeds/supported-platforms-embed.md b/content/embeds/supported-platforms-embed.md index c6709376bb..be6f7f050e 100644 --- a/content/embeds/supported-platforms-embed.md +++ b/content/embeds/supported-platforms-embed.md @@ -80,7 +80,7 @@ Redis Enterprise Software version 6.2.8 removed support for TLS 1.0 and TLS 1.1 ### RHEL 8 crypto policy and certificate key size -In RHEL 8, if the crypto policy is set to `FUTURE`, the system will not accept certificates with private key sizes smaller than 3072 bits. This affects users who use custom certificates with smaller keys (such as 2048-bit keys). +In RHEL 8, if the crypto policy is set to `FUTURE`, the system will not accept certificates with private key sizes smaller than 3072 bits. This affects use of custom certificates with smaller keys (such as 2048-bit keys). To use certificates with smaller key sizes, you need to change the crypto policy from `FUTURE` to `DEFAULT`. For more information about crypto policies, see the [Red Hat documentation on system-wide cryptographic policies](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening). From e2b1bfdd5eb0fd272cc95264cdabd3904a4c7292 Mon Sep 17 00:00:00 2001 From: mich-elle-luna <153109578+mich-elle-luna@users.noreply.github.com> Date: Tue, 8 Jul 2025 11:31:52 -0700 Subject: [PATCH 5/5] Update updating-certificates.md --- .../operate/rs/security/certificates/updating-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/operate/rs/security/certificates/updating-certificates.md b/content/operate/rs/security/certificates/updating-certificates.md index 5093fca4a5..aac5195b95 100644 --- a/content/operate/rs/security/certificates/updating-certificates.md +++ b/content/operate/rs/security/certificates/updating-certificates.md @@ -142,7 +142,7 @@ To update your syncer certificate on clusters running Active-Active databases, f - Do not run any other `crdb-cli crdb update` operations between the two steps.
{{}} -### Troubleshoot RHEL 8 crypto policy and certificate key size +## Troubleshoot RHEL 8 crypto policy and certificate key size In RHEL 8, if the crypto policy is set to `FUTURE`, the system will not accept certificates with private key sizes smaller than 3072 bits. This affects the use of custom certificates with smaller keys (such as 2048-bit keys).