URL: https://github.com/freeipa/freeipa/pull/2290
Author: abbra
 Title: #2290: Use 4096 RSA key by default for CA signing certificate
Action: opened

PR body:
"""
Note that we are not making the choice of CA key size configurable yet,
only changing it to a resonable default for 2018.

Related: https://pagure.io/freeipa/issue/6790
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2290/head:pr2290
git checkout pr2290
From 5bd915b5425888a2f8d9ce0d2e3da51c423c2aad Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 27 Aug 2018 22:28:49 +0300
Subject: [PATCH] Use 4096 RSA key by default for CA signing certificate

Note that we are not making the choice of CA key size configurable yet,
only changing it to a resonable default for 2018.

Related: https://pagure.io/freeipa/issue/6790
---
 ipalib/constants.py             | 1 +
 ipaserver/install/cainstance.py | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/ipalib/constants.py b/ipalib/constants.py
index 41da33cf4c..6da65d518e 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -279,6 +279,7 @@
 DOMAIN_SUFFIX_NAME = 'domain'
 CA_SUFFIX_NAME = 'ca'
 PKI_GSSAPI_SERVICE_NAME = 'dogtag'
+PKI_CA_SIGNING_KEY_SIZE = '4096'
 IPA_CA_CN = u'ipa'
 IPA_CA_RECORD = "ipa-ca"
 IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca'
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c90940d73d..1138020efb 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -573,6 +573,9 @@ def __spawn_instance(self):
         # CA key algorithm
         config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
 
+        # CA default key size
+        config.set("CA", "pki_ca_signing_key_size", ipalib.constants.PKI_CA_SIGNING_KEY_SIZE)
+
         if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
                 os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
             # generate pin which we know can be used for FIPS NSS database
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to