manual backport

.changelog/20112.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update RSA key generation to use a key size of at least 2048 bits.
+```

agent/auto-config/auto_encrypt_test.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/pem"
 	"fmt"
 	"net"
 	"net/url"
@@ -107,6 +108,45 @@ func TestAutoEncrypt_generateCSR(t *testing.T) {
 	}
 }
 
+func TestAutoEncrypt_generateCSR_RSA(t *testing.T) {
+	testCases := []struct {
+		name            string
+		keySize         int
+		expectedKeySize int
+	}{
+		{
+			name:            "DefaultKeySize",
+			keySize:         0,
+			expectedKeySize: 4096,
+		},
+		{
+			name:            "KeySize2048",
+			keySize:         2048,
+			expectedKeySize: 2048,
+		},
+	}
+
+	for _, tcase := range testCases {
+		t.Run(tcase.name, func(t *testing.T) {
+			ac := AutoConfig{config: &config.RuntimeConfig{
+				ConnectCAConfig: map[string]interface{}{
+					"PrivateKeyType": "rsa",
+					"PrivateKeyBits": tcase.keySize,
+				},
+			}}
+
+			// Generate a private RSA key.
+			_, key, err := ac.generateCSR()
+			require.NoError(t, err)
+
+			// Parse the private key and check it's length.
+			pemBlock, _ := pem.Decode([]byte(key))
+			priv, _ := x509.ParsePKCS1PrivateKey(pemBlock.Bytes)
+			require.Equal(t, tcase.expectedKeySize, priv.N.BitLen())
+		})
+	}
+}
+
 func TestAutoEncrypt_hosts(t *testing.T) {
 	type testCase struct {
 		serverProvider ServerProvider

agent/connect/generate.go

@@ -97,9 +97,9 @@ func generateECDSAKey(keyBits int) (crypto.Signer, string, error) {
 // GeneratePrivateKey generates a new Private key
 func GeneratePrivateKeyWithConfig(keyType string, keyBits int) (crypto.Signer, string, error) {
 	switch strings.ToLower(keyType) {
-	case "rsa":
+	case PrivateKeyTypeRSA:
 		return generateRSAKey(keyBits)
-	case "ec":
+	case DefaultPrivateKeyType:
 		return generateECDSAKey(keyBits)
 	default:
 		return nil, "", fmt.Errorf("unknown private key type requested: %s", keyType)