On pe, 26 huhti 2019, Christian Heimes wrote:
On 26/04/2019 00.55, Anthony Joseph Messina via FreeIPA-devel wrote:
On Thursday, April 25, 2019 9:44:10 AM CDT Rob Crittenden via FreeIPA-devel wrote:
- Increase the IPA RSA key size from 3072 to 2048 bits (6790)
Can the above clarify whether existing installs will upgrade the CA cert to 3072 bits or if it's only new installs? If it's only new installs, maybe a link to upgrading the CA cert.
Alexander, Rob, could you please follow Anthony's suggestion and improve the release note?
Yes, it is in my plan. I'm waiting for Monday to solicit more feedback and then will write them all down in the wiki. We should have most required pull requests land in both master and ipa-4-7 by that time.
It is technically not possible to upgrade an existing CA certificate. You would have to create a new root CA and re-issue all existing certificates to use the new root CA. There are ways to make the transition a bit smooth, e.g. alternative chaining. But that's a complex process.
It's not supported in 4.8. We may address the issue in a future release. For now, 2048 RSA keys are good enough. All relevant public root CAs in the CA/B forum use 2048bit RSA keys and SHA-256 PCKCS#1v1.5 signatures.
Could you please collect references that we can point to?