Алексей Иванов via FreeIPA-users wrote: > Greetings, > > During installation process I used following pki_override.cfg file > > [DEFAULT] > pki_admin_key_algorithm=SHA512withRSA > pki_admin_key_size=8192 > pki_audit_signing_key_algorithm=SHA512withRSA > pki_audit_signing_key_size=8192 > pki_audit_signing_key_type=rsa > pki_audit_signing_signing_algorithm=SHA512withRSA > pki_ssl_server_key_algorithm=SHA512withRSA > pki_ssl_server_key_size=8192 > pki_sslserver_signing_algorithm=SHA512withRSA > pki_subsystem_key_algorithm=SHA512withRSA > pki_subsystem_signing_algorithm=SHA512withRSA > pki_subsystem_key_size=8192 > [CA] > pki_ca_signing_key_size=8192 > pki_ca_signing_key_algorithm=SHA512withRSA > pki_ca_signing_signing_algorithm=SHA512withRSA > pki_ocsp_signing_key_algorithm=SHA512withRSA > pki_ocsp_signing_key_size=8192 > pki_ocsp_signing_signing_algorithm=SHA512withRSA > [KRA] > pki_storage_key_algorithm=SHA512withRSA > pki_storage_key_size=8192 > pki_storage_signing_algorithm=SHA512withRSA > pki_transport_key_algorithm=SHA512withRSA > pki_transport_key_size=8192 > pki_transport_signing_algorithm=SHA512withRSA > [OCSP] > pki_ocsp_signing_key_algorithm=SHA512withRSA > pki_ocsp_signing_key_size=8192 > pki_ocsp_signing_signing_algorithm=SHA512hRSA > > This lead to the following error when I'm trying to add subCA > > Request failed with status 400: Non-2xx response from CA REST API: 400. > Failed to issue CA certificate. Final status: rejected. Additional info: > Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched > > By default we have three certificate profiles caIPAserviceCert, > KDCs_PKINIT_Certs, IECUserRoles but changing them does not fix this > error. Could you please tell me where I can find a subCA certificate > template?
Look in /var/log/pki/pki-tomcat/ca/debug-<date> and it should tell you the profile it used. At one point subCA keys were hardcoded at 2048. I don't know if that is still the case. 8k keys everywhere are going to tank performance, particularly the 8k server-cert key. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
