Hi All,

While your paranoia might be making you do it you're doing a lot of work and not providing yourself with much protection. Basically RSA-2048 provides 25 bits of quantum protection and RSA-15360 only provides 31 bits.

https://techbeacon.com/security/waiting-quantum-computing-why-encryption-has-nothing-worry-about

Cheers

-----Original Message-----

From: Yevhen Syvachenko via FreeIPA-users <freeipa-users@lists.fedorahosted.org>

Reply-To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>

To: freeipa-users@lists.fedorahosted.org

Cc: Yevhen Syvachenko <sivachenko@gmail.com>

Subject: [Freeipa-users] How to set IPA RA key length

Date: Wed, 10 Mar 2021 19:58:24 -0000

Hi,

Pease help me to install FreeIPA that uses a 8192 bit key length for IPA RA and the hosts' certificates.

Having all the rumor about quantum computers and being a certified paranoid I need to configure a backbone FreeIPA instance with CA key length equal to 15360. Other keys should be no less than 8192 bits.

The following approach does the trick for most certificates except IPA RA and the hosts' certificates that are still 2048.

# ipa-server-install --pki-config-override $PWD/pki_override.cfg

Where pki_override.cfg is created using:

# cat > pki_override.cfg <<EOF

[DEFAULT]

pki_admin_key_algorithm=SHA512withRSA

pki_admin_key_size=8192

pki_admin_key_type=rsa

pki_audit_signing_key_algorithm=SHA512withRSA

pki_audit_signing_key_size=15360

pki_audit_signing_key_type=rsa

pki_audit_signing_signing_algorithm=SHA512withRSA

pki_sslserver_key_algorithm=SHA512withRSA

pki_sslserver_signing_algorithm=SHA512withRSA

pki_sslserver_key_size=8192

pki_sslserver_key_type=rsa

pki_subsystem_key_algorithm=SHA512withRSA

pki_subsystem_signing_algorithm=SHA512withRSA

pki_subsystem_key_size=15360

pki_subsystem_key_type=rsa

[CA]

pki_ca_signing_key_algorithm=SHA512withRSA

pki_ca_signing_key_size=15360

pki_ca_signing_key_type=rsa

pki_ca_signing_signing_algorithm=SHA512withRSA

pki_ocsp_signing_key_algorithm=SHA512withRSA

pki_ocsp_signing_key_size=15360

pki_ocsp_signing_key_type=rsa

pki_ocsp_signing_signing_algorithm=SHA512withRSA

[KRA]

pki_storage_key_algorithm=SHA512withRSA

pki_storage_key_size=15360

pki_storage_key_type=rsa

pki_storage_signing_algorithm=SHA512withRSA

pki_transport_key_algorithm=SHA512withRSA

pki_transport_key_size=15360

pki_transport_key_type=rsa

pki_transport_signing_algorithm=SHA512withRSA

[OCSP]

pki_ocsp_signing_key_algorithm=SHA512withRSA

pki_ocsp_signing_key_size=15360

pki_ocsp_signing_key_type=rsa

pki_ocsp_signing_signing_algorithm=SHA512withRSA

EOF

I will very appreciate it if we avoid debates about the necessary key length.

_______________________________________________

FreeIPA-users mailing list --

freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to

freeipa-users-leave@lists.fedorahosted.org

Fedora Code of Conduct:

https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines:

https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Do not reply to spam on the list, report it:

https://pagure.io/fedora-infrastructure