Error: Must be signed by an RSA 2048/4096 bit key, instead SHA384-RSA was used #10650
Unanswered
lucasarrudatrustly
asked this question in
Help
Replies: 1 comment 1 reply
-
|
Hey. I recommend using ECDSA with cert-manager. While we won't issue warnings when the trust anchor has been signed with an RSA key, we prefer that keys are signed with ECDSA (i.e identity issuer will need ECDSA). I suggest using something similar to the following resource: apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-trust-anchor
namespace: cert-manager
spec:
isCA: true
commonName: root.linkerd.cluster.local
secretName: linkerd-identity-trust-roots
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: linkerd-self-signed-issuer
kind: ClusterIssuer
group: cert-manager.io |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
I did that but with AWS Private CA Issuer but because the internals of cert-manager its signing with another algorithms (SHA384-RSA) I'm asking for a Private Key like you said and I'm getting one but the problem is the signed algorithm |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi! I'm trying to use a trusted anchor generated by cert-manager with a intermediate CA issued by externalCA, but the problem is that I'm having the following error.
× trust anchors are using supported crypto algorithm
Invalid trustAnchors:
CA must be signed by an RSA 2048/4096 bit key, instead SHA384-RSA was used
see https://linkerd.io/2.12/checks/#l5d-identity-trustAnchors-use-supported-crypto for hints
I did not find anything about why SHA384-RSA is not allowed and cert-manager do not support setting the signing algorithm.
Anyone can help me to understand the why is not allowed or if there is any alternative way?
Beta Was this translation helpful? Give feedback.
All reactions