On Wed, Mar 10, 2021 at 07:26:52PM -0500, Rob Crittenden via FreeIPA-users wrote:
Yevhen Syvachenko via FreeIPA-users wrote:
> Hi,
>
> Pease help me to install FreeIPA that uses a 8192 bit key length for IPA RA and the
hosts' certificates.
>
> Having all the rumor about quantum computers and being a certified paranoid I need
to configure a backbone FreeIPA instance with CA key length equal to 15360. Other keys
should be no less than 8192 bits.
>
> The following approach does the trick for most certificates except IPA RA and the
hosts' certificates that are still 2048.
>
> # ipa-server-install --pki-config-override $PWD/pki_override.cfg
These other certs are obtained via certmonger. If a key size isn't
requested then certmonger uses the default, compiled-in size, of 2048.
It would be straightforward to use ipa-getcert rekey to replace the
Apache, LDAP and PKINIT certs. I'm not 100% sure about the RA cert.
custodia handles distributing it to new CAs but I'm not entirely sure if
anything manual is needed for it to recognize a new private key.
I haven't tested, but I think that post-install rekey of IPA RA
certificate *might* work. But only if it is done before creating
any replicas. Doing it after replicas have been created will be...
painful.
The only other option I see is to hack support for specifying key
size into ipalib/install/certmonger.py:request_cert (and related
subroutines). Then you can hardcode the desired key size in
ipaserver/install/cainstance.py:__request_ra_certificate.
Ability to specify key sizes in certmonger.py would be a useful
change for FreeIPA. Yevhen, if you are willing feel free to
implement this and submit a pull request.
Thanks,
Fraser