[Freeipa-users] Re: How to set IPA RA key length
Yevhen Syvachenko via FreeIPA-users wrote:
Hi,
Pease help me to install FreeIPA that uses a 8192 bit key length for IPA RA and the
hosts' certificates.
Having all the rumor about quantum computers and being a certified paranoid I need to
configure a backbone FreeIPA instance with CA key length equal to 15360. Other keys should
be no less than 8192 bits.
The following approach does the trick for most certificates except IPA RA and the
hosts' certificates that are still 2048.
# ipa-server-install --pki-config-override $PWD/pki_override.cfg
These other certs are obtained via certmonger. If a key size isn't
requested then certmonger uses the default, compiled-in size, of 2048.
It would be straightforward to use ipa-getcert rekey to replace the
Apache, LDAP and PKINIT certs. I'm not 100% sure about the RA cert.
custodia handles distributing it to new CAs but I'm not entirely sure if
anything manual is needed for it to recognize a new private key.
rob