On 26/04/2019 00.55, Anthony Joseph Messina via FreeIPA-devel wrote: > On Thursday, April 25, 2019 9:44:10 AM CDT Rob Crittenden via FreeIPA-devel > wrote: >> * Increase the IPA RSA key size from 3072 to 2048 bits (6790) > > Can the above clarify whether existing installs will upgrade the CA cert to > 3072 bits or if it's only new installs? If it's only new installs, maybe a > link to upgrading the CA cert.
Alexander, Rob, could you please follow Anthony's suggestion and improve the release note? It is technically not possible to upgrade an existing CA certificate. You would have to create a new root CA and re-issue all existing certificates to use the new root CA. There are ways to make the transition a bit smooth, e.g. alternative chaining. But that's a complex process. It's not supported in 4.8. We may address the issue in a future release. For now, 2048 RSA keys are good enough. All relevant public root CAs in the CA/B forum use 2048bit RSA keys and SHA-256 PCKCS#1v1.5 signatures. Christian -- Christian Heimes Principal Software Engineer, Identity Management and Platform Security Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael O'Neill, Tom Savage, Eric Shander
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org