On Wed, Mar 10, 2021 at 07:26:52PM -0500, Rob Crittenden via FreeIPA-users wrote: > Yevhen Syvachenko via FreeIPA-users wrote: > > Hi, > > > > Pease help me to install FreeIPA that uses a 8192 bit key length for IPA RA > > and the hosts' certificates. > > > > Having all the rumor about quantum computers and being a certified paranoid > > I need to configure a backbone FreeIPA instance with CA key length equal to > > 15360. Other keys should be no less than 8192 bits. > > > > The following approach does the trick for most certificates except IPA RA > > and the hosts' certificates that are still 2048. > > > > # ipa-server-install --pki-config-override $PWD/pki_override.cfg > > These other certs are obtained via certmonger. If a key size isn't > requested then certmonger uses the default, compiled-in size, of 2048. > > It would be straightforward to use ipa-getcert rekey to replace the > Apache, LDAP and PKINIT certs. I'm not 100% sure about the RA cert. > custodia handles distributing it to new CAs but I'm not entirely sure if > anything manual is needed for it to recognize a new private key. >
I haven't tested, but I think that post-install rekey of IPA RA certificate *might* work. But only if it is done before creating any replicas. Doing it after replicas have been created will be... painful. The only other option I see is to hack support for specifying key size into ipalib/install/certmonger.py:request_cert (and related subroutines). Then you can hardcode the desired key size in ipaserver/install/cainstance.py:__request_ra_certificate. Ability to specify key sizes in certmonger.py would be a useful change for FreeIPA. Yevhen, if you are willing feel free to implement this and submit a pull request. Thanks, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure