Hi, Pease help me to install FreeIPA that uses a 8192 bit key length for IPA RA and the hosts' certificates.
Having all the rumor about quantum computers and being a certified paranoid I need to configure a backbone FreeIPA instance with CA key length equal to 15360. Other keys should be no less than 8192 bits. The following approach does the trick for most certificates except IPA RA and the hosts' certificates that are still 2048. # ipa-server-install --pki-config-override $PWD/pki_override.cfg Where pki_override.cfg is created using: # cat > pki_override.cfg <<EOF [DEFAULT] pki_admin_key_algorithm=SHA512withRSA pki_admin_key_size=8192 pki_admin_key_type=rsa pki_audit_signing_key_algorithm=SHA512withRSA pki_audit_signing_key_size=15360 pki_audit_signing_key_type=rsa pki_audit_signing_signing_algorithm=SHA512withRSA pki_sslserver_key_algorithm=SHA512withRSA pki_sslserver_signing_algorithm=SHA512withRSA pki_sslserver_key_size=8192 pki_sslserver_key_type=rsa pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_signing_algorithm=SHA512withRSA pki_subsystem_key_size=15360 pki_subsystem_key_type=rsa [CA] pki_ca_signing_key_algorithm=SHA512withRSA pki_ca_signing_key_size=15360 pki_ca_signing_key_type=rsa pki_ca_signing_signing_algorithm=SHA512withRSA pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=15360 pki_ocsp_signing_key_type=rsa pki_ocsp_signing_signing_algorithm=SHA512withRSA [KRA] pki_storage_key_algorithm=SHA512withRSA pki_storage_key_size=15360 pki_storage_key_type=rsa pki_storage_signing_algorithm=SHA512withRSA pki_transport_key_algorithm=SHA512withRSA pki_transport_key_size=15360 pki_transport_key_type=rsa pki_transport_signing_algorithm=SHA512withRSA [OCSP] pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=15360 pki_ocsp_signing_key_type=rsa pki_ocsp_signing_signing_algorithm=SHA512withRSA EOF I will very appreciate it if we avoid debates about the necessary key length. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure