*: stronger SSL keys and certificates.

* use the default RSA key length, instead of hardcoding 1024 (too weak) or 2048 (same as the current default). * use SHA256 in certificates.

*: stronger SSL keys and certificates.
* use the default RSA key length, instead of hardcoding 1024 (too weak) or 2048 (same as the current default). * use SHA256 in certificates.
d90a7620 · Kazuhiko Shiozaki · d905d7c1 · d90a7620 · d90a7620 · d90a7620
Commit d90a7620 authored Apr 10, 2024 by Kazuhiko Shiozaki
56 changed files
--- a/component/jupyter-py2/buildout.hash.cfg
+++ b/component/jupyter-py2/buildout.hash.cfg
@@ -15,7 +15,7 @@

 [instance-jupyter-notebook]
 filename = instance.cfg.in
-md5sum = 9f412363ce2c2ac99e3328f7d87d456d
+md5sum = fd7ed44da8d8723983b8666df2971a36

 [jupyter-notebook-config]
 filename = jupyter_notebook_config.py.jinja

--- a/component/jupyter-py2/instance.cfg.in
+++ b/component/jupyter-py2/instance.cfg.in
@@ -43,9 +43,9 @@ recipe = plone.recipe.command
 command =
  if [ ! -e ${instance-parameter:key_file} ]
  then
-    {{ openssl_output }} req -x509 -nodes -days 3650 \
+    {{ openssl_output }} req -x509 -nodes -sha256 -days 3650 \
      -subj "/C=AA/ST=X/L=X/O=Dis/CN=${instance-parameter:host}" \
-      -newkey rsa:1024 -keyout ${instance-parameter:key_file} \
+      -newkey rsa -keyout ${instance-parameter:key_file} \
      -out ${instance-parameter:cert_file}
  fi
 update-command = ${:command}

--- a/slapos/recipe/certificate_authority/certificate_authority.py
+++ b/slapos/recipe/certificate_authority/certificate_authority.py
@@ -46,7 +46,7 @@ class CertificateAuthority:
    try:
      # no CA, let us create new one
      popenCommunicate([self.openssl_binary, 'req', '-utf8', '-nodes',
-          '-config', self.openssl_configuration, '-new', '-x509',
+          '-config', self.openssl_configuration, '-new', '-sha256', '-x509',
          '-extensions', 'v3_ca', '-keyout', self.key, '-out',
          self.certificate, '-days', '10950'],
          'Certificate Authority %s\n' % uuid.uuid1())
@@ -75,7 +75,7 @@ class CertificateAuthority:
    csr = certificate + '.csr'
    try:
      popenCommunicate([self.openssl_binary, 'req', '-config',
-        self.openssl_configuration, '-nodes', '-new', '-keyout',
+        self.openssl_configuration, '-nodes', '-new', '-sha256', '-keyout',
        key, '-out', csr, '-days', '3650'],
        common_name + '\n')
      try:

--- a/slapos/recipe/re6stnet/__init__.py
+++ b/slapos/recipe/re6stnet/__init__.py
@@ -78,7 +78,7 @@ class Recipe(GenericBaseRecipe):
                            '%s' % key_file, self.options['key-size']]

      #'-config', openssl_configuration
-      cert_command = [self.options['openssl-bin'], 'req', '-nodes', '-new',
+      cert_command = [self.options['openssl-bin'], 'req', '-nodes', '-new', '-sha256',
                  '-x509', '-batch', '-key', '%s' % key_file, '-set_serial',
                  '%s' % serial, '-days', '3650', '-out', '%s' % cert_file]


--- a/software/beremiz-ide/buildout.hash.cfg
+++ b/software/beremiz-ide/buildout.hash.cfg
@@ -19,7 +19,7 @@ md5sum = ed2bd38b78f2a66f474205249f6e6f2c

 [template-instance-beremiz]
 filename = instance-beremiz.cfg.jinja2.in
-md5sum = bca63fc8943e7c5fa7dd43841e49bf95
+md5sum = 29c65611d51975e5bb2a1e2002a0a6c8

 [template-instance-beremiz-test]
 filename = instance-beremiz-test.cfg.jinja2.in

--- a/software/beremiz-ide/instance-beremiz.cfg.jinja2.in
+++ b/software/beremiz-ide/instance-beremiz.cfg.jinja2.in
@@ -25,7 +25,7 @@ fluxbox = ${buildout:directory}/.fluxbox

 [gen-certificate]
 recipe = plone.recipe.command
-command = "{{ openssl_bin }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key-file}" -out "${:cert-file}"
+command = "{{ openssl_bin }}" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${:key-file}" -out "${:cert-file}"
 stop-on-error = true
 cert-file = ${directory:ssl}/beremiz.crt
 key-file = ${directory:ssl}/beremiz.key

--- a/software/cloudooo/buildout.hash.cfg
+++ b/software/cloudooo/buildout.hash.cfg
@@ -18,7 +18,7 @@ md5sum = d1e4d7306c39f2ebc64d0407860d4301

 [template-cloudooo-instance]
 filename = instance-cloudooo.cfg.in
-md5sum = 13759bf9720f0e7109fc35a8ad8a50a9
+md5sum = 06dc19acd28ab412beffa61890be2095

 [template-haproxy-cfg]
 filename = haproxy.cfg.in

--- a/software/cloudooo/instance-cloudooo.cfg.in
+++ b/software/cloudooo/instance-cloudooo.cfg.in
@@ -116,7 +116,7 @@ crl = ${directory:apache-conf}/crl.pem

 [apache-ssl]
 recipe = plone.recipe.command
-command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
 key = ${apache-conf-ssl:key}
 cert = ${apache-conf-ssl:cert}


--- a/software/dufs/buildout.hash.cfg
+++ b/software/dufs/buildout.hash.cfg
@@ -15,4 +15,4 @@

 [instance.cfg.in]
 filename = instance.cfg.in
-md5sum = f7a283e3288d3a9ddfd5de7e9b309273
+md5sum = 1e9012cb8476e00497b3fe9881158440
--- a/software/dufs/instance.cfg.in
+++ b/software/dufs/instance.cfg.in
@@ -115,6 +115,7 @@ command =
      -newkey rsa \
      -batch \
      -new \
+      -sha256 \
      -nodes \
      -keyout /dev/null \
      -config '${dufs-certificate-csr-config:output}' \

--- a/software/erp5testnode/buildout.hash.cfg
+++ b/software/erp5testnode/buildout.hash.cfg
@@ -18,4 +18,4 @@ md5sum = 06b0acece285ecbc0e746fa267a374b6

 [template-default]
 filename = instance-default.cfg.jinja.in
-md5sum = 164c4610ab20a081b3db26f23566bb7c
+md5sum = bf95d5f4ac107ad27a0c980633ad20be
--- a/software/erp5testnode/instance-default.cfg.jinja.in
+++ b/software/erp5testnode/instance-default.cfg.jinja.in
@@ -118,9 +118,9 @@ recipe = plone.recipe.command
 command =
  if [ ! -e $${:cert-file} ]
  then
-    ${openssl-output:openssl} req -x509 -nodes -days 3650 \
+    ${openssl-output:openssl} req -x509 -nodes -sha256 -days 3650 \
      -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
-      -newkey rsa:2048 -keyout $${:cert-file} \
+      -newkey rsa -keyout $${:cert-file} \
      -out $${:cert-file}
  fi
 update-command = $${:command}

--- a/software/galene/buildout.hash.cfg
+++ b/software/galene/buildout.hash.cfg
@@ -19,4 +19,4 @@ md5sum = 1747b8cda8d815055453420de4ed677f

 [template-default]
 filename = instance-default.cfg.in
-md5sum = fa9bd07d6a5fcf55e9548f63a943f022
+md5sum = 452599c3067904a9decb8c5dba55eb46
--- a/software/galene/instance-default.cfg.in
+++ b/software/galene/instance-default.cfg.in
@@ -58,7 +58,7 @@ recordings = $${:srv}/recordings
 recipe = plone.recipe.command
 cert-file = $${directory:data}/cert.pem
 key-file = $${directory:data}/key.pem
-command = ${openssl:location}/bin/openssl req -newkey rsa:2048 -batch -new -x509  -days 3650 -nodes -keyout "$${:key-file}" -out "$${:cert-file}"
+command = ${openssl:location}/bin/openssl req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "$${:key-file}" -out "$${:cert-file}"
 update-command =
 stop-on-error = true


--- a/software/gitlab/buildout.hash.cfg
+++ b/software/gitlab/buildout.hash.cfg
@@ -54,7 +54,7 @@ md5sum = 58e3d5bbda32583d00cd8f44ec0525b0

 [instance-gitlab.cfg.in]
 _update_hash_filename_ = instance-gitlab.cfg.in
-md5sum = 9303fa3912e6eaea04add760b55521f3
+md5sum = b913c4a1f199a87ad71da6d102adffa4

 [instance-gitlab-export.cfg.in]
 _update_hash_filename_ = instance-gitlab-export.cfg.in

--- a/software/gitlab/instance-gitlab.cfg.in
+++ b/software/gitlab/instance-gitlab.cfg.in
@@ -766,7 +766,7 @@ key_file    = ${nginx-ssl-dir:ssl}/gitlab_backend.key

 command =
    test -e ${:key_file} || \
-        {{ openssl_bin }} req -newkey rsa -batch -new -x509 -days 3650 -nodes   \
+        {{ openssl_bin }} req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes   \
        -keyout ${:key_file} -out ${:cert_file}
 update-command = ${:command}


--- a/software/grafana/buildout.hash.cfg
+++ b/software/grafana/buildout.hash.cfg
@@ -15,7 +15,7 @@

 [instance-profile]
 filename = instance.cfg.in
-md5sum = 94674d597e3ea7e9eca3637a737765ff
+md5sum = 8c9dc41c176ba01116de5b71aaa704de

 [influxdb-config-file]
 filename = influxdb-config-file.cfg.in

--- a/software/grafana/instance.cfg.in
+++ b/software/grafana/instance.cfg.in
@@ -55,9 +55,9 @@ recipe = plone.recipe.command
 command =
  if [ ! -e ${:key-file} ]
  then
-    {{ openssl_bin }} req -x509 -nodes -days 3650 \
+    {{ openssl_bin }} req -x509 -nodes -sha256 -days 3650 \
      -subj "/C=AA/ST=X/L=X/O=Dis/CN=${:common-name}" \
-      -newkey rsa:1024 -keyout ${:key-file} \
+      -newkey rsa -keyout ${:key-file} \
      -out ${:cert-file}
  fi
 update-command = ${:command}

--- a/software/headless-chromium/buildout.hash.cfg
+++ b/software/headless-chromium/buildout.hash.cfg
@@ -4,7 +4,7 @@ md5sum = c6cdcee1e16dd4bd3bc462d286dcb999

 [instance-headless-chromium]
 _update_hash_filename_ = instance-headless-chromium.cfg.in
-md5sum = 8a7e024569d92b0992f40ddac232cff5
+md5sum = df3ae1220c58cde5555ee596ef4a8b1d

 [template-nginx-conf]
 _update_hash_filename_ = templates/nginx.conf.in

--- a/software/headless-chromium/instance-headless-chromium.cfg.in
+++ b/software/headless-chromium/instance-headless-chromium.cfg.in
@@ -50,7 +50,7 @@ command-line =
  --user-data-dir=${directory:tmp}
  --window-size="${headless-chromium:window-size}"
  {% if parameter_dict['incognito'] %} --incognito{% endif -%}
-  {% if parameter_dict['block-new-web-contents'] %} --block-new-web-contents{% endif -%}
+  {% if parameter_dict['block-new -sha256-web-contents'] %} --block-new-web-contents{% endif -%}
 {{ '\n  "${headless-chromium:target-url}"' }}
 environment =
  FONTCONFIG_FILE=${font-config:output}
@@ -114,7 +114,7 @@ command =
  then
    openssl req -x509 -nodes -days 3650 \
      -subj "/C=AA/ST=X/L=X/O=Dis/CN=${:common-name}" \
-      -newkey rsa:1024 -keyout ${:key-file} \
+      -newkey rsa -keyout ${:key-file} \
      -out ${:cert-file}
    openssl x509 -addtrust serverAuth \
      -in ${:cert-file} \

--- a/software/hugo/buildout.hash.cfg
+++ b/software/hugo/buildout.hash.cfg
@@ -15,7 +15,7 @@

 [template-cfg]
 filename = instance.cfg.in
-md5sum = edddaa4f6145f3eab4463063dacacfaa
+md5sum = 6799fbb8d8e485725a046ba6361d20fa

 [template_nginx_conf]
 _update_hash_filename_ = templates/nginx_conf.in

--- a/software/hugo/instance.cfg.in
+++ b/software/hugo/instance.cfg.in
@@ -174,9 +174,9 @@ recipe = plone.recipe.command
 command =
  if [ ! -e ${:key-file} ]
  then
-    {{ parameter_list['openssl_location'] }}/bin/openssl req -x509 -nodes -days 3650 \
+    {{ parameter_list['openssl_location'] }}/bin/openssl req -x509 -nodes -sha256 -days 3650 \
      -subj "/C=AA/ST=X/L=X/O=Dis/CN=${hugo:ip}" \
-      -newkey rsa:1024 -keyout ${:key-file} \
+      -newkey rsa -keyout ${:key-file} \
      -out ${:cert-file}
  fi
 update-command = ${:command}

--- a/software/jscrawler/buildout.hash.cfg
+++ b/software/jscrawler/buildout.hash.cfg
@@ -19,7 +19,7 @@ md5sum = 7333d1dfd4e8e4c375f7f1748292f554

 [template-jscrawler]
 filename = instance-jscrawler.cfg.jinja2.in
-md5sum = 2ba9d6a30b420c9bf67d4a135b48212b
+md5sum = 2d8da11d54464422110f92dc62c55c78

 [template-jscrawler-builder]
 filename = template-jscrawler.builder.sh.in

--- a/software/jscrawler/instance-jscrawler.cfg.jinja2.in
+++ b/software/jscrawler/instance-jscrawler.cfg.jinja2.in
@@ -19,7 +19,7 @@ tmp = ${:srv}/tmp
 #################################
 [gen-certificate]
 recipe = plone.recipe.command
-command = "{{ parameter_dict['openssl'] }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:ssl_key}" -out "${:ssl_crt}"
+command = "{{ parameter_dict['openssl'] }}" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${:ssl_key}" -out "${:ssl_crt}"
 stop-on-error = true
 ssl_crt = ${directory:ssl}/httpd.crt
 ssl_key = ${directory:ssl}/httpd.key

--- a/software/jupyter/buildout.hash.cfg
+++ b/software/jupyter/buildout.hash.cfg
@@ -19,7 +19,7 @@ md5sum = 5f39952f94095b1f12f41db76867e71e

 [instance-jupyter]
 filename = instance-jupyter.cfg.in
-md5sum = 1ac942c544d2a2aa3d1e16a61a1f8bc8
+md5sum = f9a0e5a134456d74ca8b4d87862f903d

 [jupyter-notebook-config]
 filename = jupyter_notebook_config.py.jinja

--- a/software/jupyter/instance-jupyter.cfg.in
+++ b/software/jupyter/instance-jupyter.cfg.in
@@ -61,9 +61,9 @@ recipe = plone.recipe.command
 command =
  if [ ! -e ${instance-parameter:key_file} ]
  then
-    {{ openssl_output }} req -x509 -nodes -days 3650 \
+    {{ openssl_output }} req -x509 -nodes -sha256 -days 3650 \
      -subj "/C=AA/ST=X/L=X/O=Dis/CN=${instance-parameter:host}" \
-      -newkey rsa:1024 -keyout ${instance-parameter:key_file} \
+      -newkey rsa -keyout ${instance-parameter:key_file} \
      -out ${instance-parameter:cert_file}
  fi
 update-command = ${:command}

--- a/software/kvm/buildout.hash.cfg
+++ b/software/kvm/buildout.hash.cfg
@@ -79,7 +79,7 @@ md5sum = a97ba5a5afcfd6f6bb9f4e77f37555dd

 [template-httpd]
 filename = instance-kvm-http.cfg.in
-md5sum = 438192aab9f11e40dc521b46a4854dcf
+md5sum = 12779e690aa8341da660d833e102e552

 [image-download-controller]
 filename = template/image-download-controller.py.in

--- a/software/kvm/instance-kvm-http.cfg.in
+++ b/software/kvm/instance-kvm-http.cfg.in
@@ -57,7 +57,7 @@ mode = 700

 [httpd-ssl]
 recipe = plone.recipe.command
-command = "{{ openssl_executable_location }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+command = "{{ openssl_executable_location }}" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
 key = ${directory:ssl}/key
 cert = ${directory:ssl}/cert
 update-command =

--- a/software/metabase/buildout.hash.cfg
+++ b/software/metabase/buildout.hash.cfg
 [instance-profile]
 filename = instance.cfg.in
-md5sum = f753802ad631a57c559d868e525cf81b
+md5sum = 798485b3dd08749ff8ec92d65c6a180f
--- a/software/metabase/instance.cfg.in
+++ b/software/metabase/instance.cfg.in
@@ -78,7 +78,7 @@ recipe = plone.recipe.command
 command =
  if [ ! -e $${:cert-file} ]
  then
-    ${openssl-output:openssl} req -x509 -nodes -days 3650 \
+    ${openssl-output:openssl} req -x509 -nodes -sha256 -days 3650 \
      -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
      -newkey rsa -keyout $${:cert-file} \
      -out $${:cert-file}

--- a/software/nginx-push-stream/buildout.hash.cfg
+++ b/software/nginx-push-stream/buildout.hash.cfg
 [template]
 filename = instance.cfg.in
-md5sum = 6482b6aea742357350f0d7e350f9baa6
+md5sum = 52e599b14817e28e7ee48706360ad3cc

 [template-nginx-configuration]
 filename = template-nginx.cfg.in

--- a/software/nginx-push-stream/instance.cfg.in
+++ b/software/nginx-push-stream/instance.cfg.in
@@ -60,9 +60,9 @@ recipe = plone.recipe.command
 command =
  if [ ! -e $${:key-file} ]
  then
-    ${openssl:location}/bin/openssl req -x509 -nodes -days 3650 \
+    ${openssl:location}/bin/openssl req -x509 -nodes -sha256 -days 3650 \
      -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${nginx-configuration:ip}" \
-      -newkey rsa:1024 -keyout $${:key-file} \
+      -newkey rsa -keyout $${:key-file} \
      -out $${:cert-file}
  fi
 update-command = $${:command}

--- a/software/rapid-cdn/buildout.hash.cfg
+++ b/software/rapid-cdn/buildout.hash.cfg
@@ -22,15 +22,15 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68

 [profile-frontend]
 filename = instance-frontend.cfg.in
-md5sum = bb8129cdd89632c3c3ce86556496cb0f
+md5sum = b3c5694042035f13832479dca3481597

 [profile-master]
 filename = instance-master.cfg.in
-md5sum = 3006197ddce87bd92866b76b5ce8ce08
+md5sum = 934b7f5e8d470e18bc980942bf467ada

 [profile-slave-list]
 filename = instance-slave-list.cfg.in
-md5sum = b75e42233c1b7bdd5f21971ed8907efc
+md5sum = 96bd66e98c7b4492ab4aba46e0e14e13

 [profile-master-publish-slave-information]
 filename = instance-master-publish-slave-information.cfg.in
@@ -102,7 +102,7 @@ md5sum = e82ccdb0b26552a1c88ff523d8fae24a

 [profile-kedifa]
 filename = instance-kedifa.cfg.in
-md5sum = 669da915003122e48646dc75fec239a5
+md5sum = 107dc147d94d02d2084b97b8ec591831

 [template-frontend-haproxy-rsyslogd-conf]
 _update_hash_filename_ = templates/frontend-haproxy-rsyslogd.conf.in

--- a/software/rapid-cdn/instance-frontend.cfg.in
+++ b/software/rapid-cdn/instance-frontend.cfg.in
@@ -209,7 +209,7 @@ command =
  rm -f ${:certificate}
  /bin/bash -c ' \
  {{ software_parameter_dict['openssl'] }} req \
-     -new -newkey rsa:2048 -sha256 \
+     -new -newkey rsa -sha256 \
     -nodes -x509 -days 36500 \
     -keyout ${:certificate} \
     -subj "/CN=Self Signed IP Access" \
@@ -233,7 +233,7 @@ command =
  rm -f ${:certificate}
  /bin/bash -c ' \
  {{ software_parameter_dict['openssl'] }} req \
-     -new -newkey rsa:2048 -sha256 \
+     -new -newkey rsa -sha256 \
     -nodes -x509 -days 36500 \
     -keyout ${:certificate} \
     -subj "/CN=Fallback certificate/OU={{ instance_parameter_dict['configuration.frontend-name'] }}" \
@@ -282,7 +282,7 @@ command =
 {% if slapparameter_dict['kedifa-caucase-url'] %}
  if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ]  ; then
    {{ software_parameter_dict['openssl'] }} req -new -sha256 \
-      -newkey rsa:2048 -nodes -keyout ${:key} \
+      -newkey rsa -nodes -keyout ${:key} \
      -subj "/O=${:organization}/OU=${:organizational_unit}" \
      -out ${:template-csr}
  fi
@@ -335,7 +335,7 @@ command =
 {% if slapparameter_dict['backend-client-caucase-url'] %}
  if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ]  ; then
    {{ software_parameter_dict['openssl'] }} req -new -sha256 \
-      -newkey rsa:2048 -nodes -keyout ${:key} \
+      -newkey rsa -nodes -keyout ${:key} \
      -subj "/O=${:organization}/OU=${:organizational_unit}" \
      -out ${:template-csr}
  fi

--- a/software/rapid-cdn/instance-kedifa.cfg.in
+++ b/software/rapid-cdn/instance-kedifa.cfg.in
@@ -89,7 +89,7 @@ organizational_unit = Kedifa Partition
 command =
  if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ]  ; then
    /bin/bash -c '{{ software_parameter_dict['openssl'] }} req -new -sha256 \
-      -newkey rsa:2048 -nodes -keyout ${:key} \
+      -newkey rsa -nodes -keyout ${:key} \
      -subj "/O=${:organization}/OU=${:organizational_unit}" \
      -reqexts SAN \
      -config <(cat {{ software_parameter_dict['openssl_cnf'] }} \
@@ -135,7 +135,7 @@ stop-on-error = True
 update-command = ${:command}
 command =
  if ! [ -f ${:key} ] && ! [ -f ${:certificate} ] ; then
-    {{ software_parameter_dict['openssl'] }} req -new -newkey rsa:2048 -sha256 -subj \
+    {{ software_parameter_dict['openssl'] }} req -new -newkey rsa -sha256 -subj \
      "/O=${kedifa-csr:organization}/OU=${kedifa-csr:organizational_unit}/CN={{ instance_parameter_dict['ipv6-random'] }}" \
      -days 5 -nodes -x509 -keyout ${:key} -out ${:certificate}
  fi

--- a/software/rapid-cdn/instance-master.cfg.in
+++ b/software/rapid-cdn/instance-master.cfg.in
@@ -631,7 +631,7 @@ organizational_unit = Automatic Internal Kedifa Caucase CSR
 command =
  if [ ! -f ${:csr} ] && [ ! -f ${:key} ]  ; then
    {{ software_parameter_dict['openssl'] }} req -new -sha256 \
-      -newkey rsa:2048 -nodes -keyout ${:key} \
+      -newkey rsa -nodes -keyout ${:key} \
      -subj "/O=${:organization}/OU=${:organizational_unit}" \
      -out ${:csr}
  fi
@@ -752,7 +752,7 @@ organizational_unit = Automatic Sign Backend Client Caucase CSR
 command =
  if [ ! -f ${:csr} ] && [ ! -f ${:key} ]  ; then
    {{ software_parameter_dict['openssl'] }} req -new -sha256 \
-      -newkey rsa:2048 -nodes -keyout ${:key} \
+      -newkey rsa -nodes -keyout ${:key} \
      -subj "/O=${:organization}/OU=${:organizational_unit}" \
      -out ${:csr}
  fi
@@ -927,7 +927,7 @@ update-command = ${:command}
 command =
  [ -f ${:certificate} ] && {{ software_parameter_dict['findutils'] }}/bin/find ${:certificate} -type f -mtime +3 -delete
  if ! [ -f ${:certificate} ] ; then
-    openssl req -new -newkey rsa:2048 -sha256 -subj \
+    openssl req -new -newkey rsa -sha256 -subj \
      "/CN=${master-introspection-server-configuration:ip}" \
      -days 5 -nodes -x509 -keyout ${:certificate} -out ${:certificate}
  fi

--- a/software/rapid-cdn/instance-slave-list.cfg.in
+++ b/software/rapid-cdn/instance-slave-list.cfg.in
@@ -611,7 +611,7 @@ stop-on-error = True
 update-command = ${:command}
 command =
  if ! [ -f ${:key} ] && ! [ -f ${:certificate} ] ; then
-    openssl req -new -newkey rsa:2048 -sha256 -subj \
+    openssl req -new -newkey rsa -sha256 -subj \
      "/O={{ expose_csr_organization }}/OU={{ expose_csr_organizational_unit }}/CN=${slap-configuration:ipv6-random}" \
      -days 5 -nodes -x509 -keyout ${:key} -out ${:certificate}
  fi

--- a/software/restic-rest-server/buildout.hash.cfg
+++ b/software/restic-rest-server/buildout.hash.cfg
@@ -15,4 +15,4 @@

 [instance.cfg.in]
 filename = instance.cfg.in
-md5sum = b5c479ebb4cf2fd2f63623af88b95078
+md5sum = 1d9513c44185ad47bd3bb50f748c372a
--- a/software/restic-rest-server/instance.cfg.in
+++ b/software/restic-rest-server/instance.cfg.in
@@ -111,9 +111,10 @@ recipe = plone.recipe.command
 command =
  if [ ! -f '${:csr}' ] ; then
   {{ openssl_bin }} req \
-      -newkey rsa:2048 \
+      -newkey rsa \
      -batch \
      -new \
+      -sha256 \
      -nodes \
      -keyout /dev/null \
      -config '${rest-server-certificate-csr-config:output}' \

--- a/software/seleniumserver/buildout.hash.cfg
+++ b/software/seleniumserver/buildout.hash.cfg
@@ -19,4 +19,4 @@ md5sum = 10e19df182c692b71ea552da183a0bcf

 [template-selenium]
 filename = instance-selenium.cfg.in
-md5sum = 7239845e758b2d10299699e061b0fc75
\ No newline at end of file
+md5sum = 9bef75759623a660cfaf4b6f5a48a923
\ No newline at end of file
--- a/software/seleniumserver/instance-selenium.cfg.in
+++ b/software/seleniumserver/instance-selenium.cfg.in
@@ -137,7 +137,7 @@ command =
  then
    ${openssl-output:openssl} req -x509 -nodes -days 3650 \
      -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
-      -newkey rsa:2048 -keyout $${:cert-file} \
+      -newkey rsa -keyout $${:cert-file} \
      -out $${:cert-file}
  fi
 update-command = $${:command}

--- a/software/slapos-master/buildout.hash.cfg
+++ b/software/slapos-master/buildout.hash.cfg
@@ -18,7 +18,7 @@ md5sum = 38eab3283d175230231c998fa4a3416e

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 88e15a803df4aa35285e59ae9186438a
+md5sum = 8af2ed33ef2a57cf5c5df4dd5d834d69

 [template-apache-backend-conf]
 filename = apache-backend.conf.in

--- a/software/slapos-master/instance-balancer.cfg.in
+++ b/software/slapos-master/instance-balancer.cfg.in
@@ -148,7 +148,7 @@ cert = ${apache-ssl-cert:output}
 {{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
 {% else %}
 recipe = plone.recipe.command
-command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
 key = ${apache-conf-ssl:key}
 cert = ${apache-conf-ssl:cert}
 {%- endif %}

--- a/software/slapos-master/test/test/test_erp5.py
+++ b/software/slapos-master/test/test/test_erp5.py
@@ -446,7 +446,7 @@ class TestDeploymentScriptInstantiation(ERP5InstanceTestCase):
    cert = os.path.join(self.ca_path, 'certs', 'test.crt')
    common_name = 'TEST-SSL-AUTH'
    popenCommunicate([
-      'openssl', 'req', '-utf8', '-nodes', '-config', openssl_config, '-new',
+      'openssl', 'req', '-utf8', '-nodes', '-config', openssl_config, '-new', '-sha256',
      '-keyout', key, '-out', csr, '-days', '3650'], f'{common_name}\n'.encode(),
      stdin=subprocess.PIPE)
    popenCommunicate([

--- a/software/theia/buildout.hash.cfg
+++ b/software/theia/buildout.hash.cfg
@@ -15,7 +15,7 @@

 [instance-theia]
 _update_hash_filename_ = instance-theia.cfg.jinja.in
-md5sum = 07b222d8c29d446fc0957e4e37706585
+md5sum = 23b498618bce83a6eb8df0470417f59e

 [instance]
 _update_hash_filename_ = instance.cfg.in

--- a/software/theia/instance-theia.cfg.jinja.in
+++ b/software/theia/instance-theia.cfg.jinja.in
@@ -237,7 +237,7 @@ command =
  then
    ${openssl-output:openssl} req -x509 -nodes -days 3650 \
      -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
-      -newkey rsa:2048 -keyout $${:cert-file} \
+      -newkey rsa -keyout $${:cert-file} \
      -out $${:cert-file}
  fi
 update-command = $${:command}

--- a/software/turnserver/buildout.hash.cfg
+++ b/software/turnserver/buildout.hash.cfg
@@ -19,7 +19,7 @@ md5sum = f47adc5131a3096e916dbf9ef0061f50

 [template-turnserver]
 filename = instance-turnserver.cfg.jinja2.in
-md5sum = f7ae944a28366c8888946af440d513ed
+md5sum = 016dd3bbebac4b223c11d17512a36296

 [template-insecure-turnserver]
 filename = instance-insecure-turnserver.cfg.jinja2.in

--- a/software/turnserver/instance-turnserver.cfg.jinja2.in
+++ b/software/turnserver/instance-turnserver.cfg.jinja2.in
@@ -39,7 +39,7 @@ mode = {{ mode }}
 {%  do part_list.append('gen-certificate') -%}
 [gen-certificate]
 recipe = plone.recipe.command
-command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${turnserver-ssl:key}" -out "${turnserver-ssl:certificate}"
+command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${turnserver-ssl:key}" -out "${turnserver-ssl:certificate}"
 {% endif -%}

 [turnserver-ssl]

--- a/stack/caucase/buildout.hash.cfg
+++ b/stack/caucase/buildout.hash.cfg
@@ -15,4 +15,4 @@

 [caucase-jinja2-library]
 filename = caucase.jinja2.library
-md5sum = 962ee4f16cef2b4b44ce0f5a87f7549c
+md5sum = a16311ab9a8965ea9020929c7100209b
--- a/stack/caucase/caucase.jinja2.library
+++ b/stack/caucase/caucase.jinja2.library
@@ -96,7 +96,7 @@ output = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
 recipe = plone.recipe.command
 command =
  if [ ! -f '{{ key_path or crt_path }}' ] && [ ! -f '${:csr}' ] ; then
-    '{{ openssl }}' req -newkey rsa:2048 -batch -new -nodes -subj /CN=example.com -keyout '{{ key_path or crt_path }}' -out '${:csr}'
+    '{{ openssl }}' req -newkey rsa -batch -new -sha256 -nodes -subj /CN=example.com -keyout '{{ key_path or crt_path }}' -out '${:csr}'
  fi
 {%-   endif %}
 csr = ${ {{- prefix }}-directory:data-dir}/good.csr.pem

--- a/stack/erp5-zope2/buildout.hash.cfg
+++ b/stack/erp5-zope2/buildout.hash.cfg
@@ -50,7 +50,7 @@ md5sum = f928b9dc99f7f970caadfe7dd6f95d34

 [template-postfix]
 filename = instance-postfix.cfg.in
-md5sum = 8f7bfca893a01c390df7a3dc9c2410e1
+md5sum = 36e2563b306cf7de6297eee415929078

 [template-postfix-master-cf]
 filename = postfix_master.cf.in
@@ -90,7 +90,7 @@ md5sum = 0451190711157fc204418662126d5cf8

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = b0751d3d12cfcc8934cb1027190f5e5e
+md5sum = d570ef33e67ca223eac790f2729c04da

 [template-haproxy-cfg]
 filename = haproxy.cfg.in

--- a/stack/erp5-zope2/instance-balancer.cfg.in
+++ b/stack/erp5-zope2/instance-balancer.cfg.in
@@ -295,7 +295,7 @@ certificate-and-key = ${tls-certificate-and-key-from-parameters:output}
    ssl_parameter_dict['cert'] ~ "\n" ~ ssl_parameter_dict['key']) }}
 {% else %}
 recipe = plone.recipe.command
-command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:certificate-and-key}" -out "${:certificate-and-key}"
+command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${:certificate-and-key}" -out "${:certificate-and-key}"
 certificate-and-key = ${directory:etc}/certificate-and-key-generated.pem
 {%- endif %}


--- a/stack/erp5-zope2/instance-postfix.cfg.in
+++ b/stack/erp5-zope2/instance-postfix.cfg.in
@@ -141,7 +141,7 @@ command =
  ${:openssl} dhparam -out '${:dh-2048}' 2048 &&
  ${:update}
 update =
-  ${:openssl} req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout '${:key}' -out '${:cert}'
+  ${:openssl} req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout '${:key}' -out '${:cert}'

 [{{ section('postfix-logrotate') }}]
 recipe = slapos.cookbook:cron.d

--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -50,7 +50,7 @@ md5sum = f928b9dc99f7f970caadfe7dd6f95d34

 [template-postfix]
 filename = instance-postfix.cfg.in
-md5sum = b1cdeb8fe02d47c093658b50afa7d6b9
+md5sum = eacbaeecb0c7a311eb9663d411201d6b

 [template-postfix-master-cf]
 filename = postfix_master.cf.in
@@ -90,7 +90,7 @@ md5sum = 8725a6b42de735b64b51d9bac598f94b

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 0fad9497da12ed0186dca5236c23f3a7
+md5sum = 727c6f045da382fe50916e6ea5ae6405

 [template-haproxy-cfg]
 filename = haproxy.cfg.in

--- a/stack/erp5/instance-balancer.cfg.in
+++ b/stack/erp5/instance-balancer.cfg.in
@@ -93,6 +93,7 @@ command =
      -newkey rsa \
      -batch \
      -new \
+      -sha256 \
      -nodes \
      -keyout /dev/null \
      -config '${haproxy-certificate-csr-config:output}' \

--- a/stack/erp5/instance-postfix.cfg.in
+++ b/stack/erp5/instance-postfix.cfg.in
@@ -141,7 +141,7 @@ command =
  ${:openssl} dhparam -out '${:dh-2048}' 2048 &&
  ${:update}
 update =
-  ${:openssl} req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout '${:key}' -out '${:cert}'
+  ${:openssl} req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout '${:key}' -out '${:cert}'

 [{{ section('postfix-logrotate') }}]
 recipe = slapos.cookbook:cron.d