helper/acctest: Generate 2048 bit long private keys in helper/acctest.RandTLSCert

[LKaemmerling]

Generate 2048 bit long private keys in helper/acctest.RandTLSCert instead of 1024 bit long private keys.

This closes #621

[hashicorp-cla]

All committers have signed the CLA.

[bflad]

Hi @LKaemmerling 👋 Thank you for submitting this change and apologies for the delayed response here. Unfortunately, we cannot merge a change like this as-is because it could represent a breaking change for systems or testing that may be explicitly expecting the lower bit count. Similar to the response in the associated issue, its not likely we would accept a different form of the change either, therefore I'm going to close this submission not because its security concerns aren't valid, but because these helpers are unfortunately a source of potential maintenance burden.

At some point since this was raised, we began documenting the cryptographic specifics of the similar acctest.RandSSHKeyPair() and recommending that testing with different or stronger security requirements should use code created outside this codebase. Similar documentation would apply for acctest.RandTLSCert(). Security requirements are constantly evolving and it is untenable for this Go module to maintain all possible permutations required for cryptographic logic needed across the entire provider ecosystem without constant maintenance or inevitably needing to introduce breaking changes to the exported Go APIs. Future major versions of this code would likely remove helpers like these for that reason.

Thanks again though!

[github-actions[bot]]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.