Appendix C. Locations of cryptographic keys in RHEL 8
After you upgrade a system that is running in Federal Information Processing Standard (FIPS) mode, you must regenerate and otherwise ensure the FIPS compliance of all cryptographic keys. Some well-known locations for such keys are in the following table. Note that the list is not complete, and you might check also other locations.
Application | Locations of keys | Notes |
---|---|---|
Apache mod_ssl |
|
The |
Bind9 RNDC |
|
The |
Cyrus IMAPd |
|
The |
DNSSEC-Trigger |
|
The |
Dovecot |
|
The |
OpenPegasus |
|
The |
OpenSSH |
|
Ed25519 and DSA keys are not FIPS-compliant. |
Postfix |
|
The post-installation script contained in the |
RHEL web console |
|
The web console runs the |
Sendmail |
|
The post-installation script contained in the |
To ensure the FIPS compliance of cryptographic keys of third-party applications, refer to the corresponding documentation of the respective applications. Furthermore:
Any service that opens a port might use a TLS certificate.
- Not all services generate cryptographic keys automatically, but many services that start up automatically by default often do so.
- Focus also on services that use any cryptographic libraries such as NSS, GnuTLS, OpenSSL, and libgcrypt.
- Check also backup, disk-encryption, file-encryption, and similar applications.
Because FIPS mode in RHEL 8 restricts DSA keys, DH parameters, RSA keys shorter than 1024 bits, and some other ciphers, old cryptographic keys stop working after the upgrade from RHEL 7. See the Changes in core cryptographic components section in the Considerations in adopting RHEL 8 document and the Using system-wide cryptographic policies chapter in the RHEL 8 Security hardening document for more information.
Additional resources
- Switching the system to FIPS mode in the RHEL 8 Security hardening document
-
update-crypto-policies(8)
andfips-mode-setup(8)
man pages on your system