From c3a64be7950736d5bedf30bed2f4ccb87e754a61 Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@redhat.com>
Date: Tue, 11 Feb 2025 06:25:34 +0100
Subject: [PATCH] tls: Stop hardcoding 2048 bit RSA key length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These are rejected as "too weak" by the "FUTURE" crypto policy. Let the
tools decide about appropriate defaults rather.

Thanks to Renaud Métrich for finding this!

https://issues.redhat.com/browse/RHEL-78645
---
 src/tls/cockpit-certificate-helper.in | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/tls/cockpit-certificate-helper.in b/src/tls/cockpit-certificate-helper.in
index c4b5922c785c..32fa8bd5223b 100644
--- a/src/tls/cockpit-certificate-helper.in
+++ b/src/tls/cockpit-certificate-helper.in
@@ -30,7 +30,6 @@ install_key() {
 selfsign_sscg() {
     sscg --quiet \
         --lifetime "${DAYS}" \
-        --key-strength 2048 \
         --cert-key-file "${KEYFILE}" \
         --cert-file "${CERTFILE}" \
         --ca-file "${CA_FILE}" \
@@ -43,7 +42,7 @@ selfsign_sscg() {
 selfsign_openssl() {
     openssl req -x509 \
         -days "${DAYS}" \
-        -newkey rsa:2048 \
+        -newkey rsa \
         -keyout "${KEYFILE}" \
         -keyform PEM \
         -nodes \