Mirrors.rockylinux.org - 2048-bit RSA key insufficient for FUTURE crypto-policy

Hi there,

I played around with setting the system-wide cryptographic policy to FUTURE (link to RedHat).

As a result, I could not update the system via DNF anymore.

I ran a quick check on the mirror’s certificate:

echo | openssl s_client -connect mirrors.rockylinux.org:443 2>/dev/null | openssl x509 -text -noout | grep "Public-Key"
                RSA Public-Key: (2048 bit)

According to the FUTURE crypto policy, the minimum strength of an RSA key is 3072-bit.

A native security policy does seem to create a conflict with such basic system maintenance as updating the system.

I suspect that this is a third-party issue, but is this something that could be changed? Not a high priority…

We had a similar question some time ago. It was answered here: CURL certificate error on apstream - #5 by neil

Hope this helps answer why keys are 2048 on the mirrors.