On pe, 26 huhti 2019, Christian Heimes wrote:
On 26/04/2019 00.55, Anthony Joseph Messina via FreeIPA-devel wrote:
> On Thursday, April 25, 2019 9:44:10 AM CDT Rob Crittenden via FreeIPA-devel
> wrote:
>> * Increase the IPA RSA key size from 3072 to 2048 bits (6790)
>
> Can the above clarify whether existing installs will upgrade the CA cert to
> 3072 bits or if it's only new installs? If it's only new installs, maybe a
> link to upgrading the CA cert.
Alexander, Rob, could you please follow Anthony's suggestion and improve
the release note?
Yes, it is in my plan. I'm waiting for Monday to solicit more
feedback
and then will write them all down in the wiki. We should have most
required pull requests land in both master and ipa-4-7 by that time.
It is technically not possible to upgrade an existing CA certificate.
You would have to create a new root CA and re-issue all existing
certificates to use the new root CA. There are ways to make the
transition a bit smooth, e.g. alternative chaining. But that's a complex
process.
It's not supported in 4.8. We may address the issue in a future release.
For now, 2048 RSA keys are good enough. All relevant public root CAs in
the CA/B forum use 2048bit RSA keys and SHA-256 PCKCS#1v1.5 signatures.
Could you
please collect references that we can point to?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland