Hi All, While your paranoia might be making you do it you're doing a lot of work and not providing yourself with much protection. Basically RSA- 2048 provides 25 bits of quantum protection and RSA-15360 only provides 31 bits. https://techbeacon.com/security/waiting-quantum-computing-why-encryption-has-nothing-worry-about
Cheers -----Original Message----- From: Yevhen Syvachenko via FreeIPA-users < freeipa-users@lists.fedorahosted.org> Reply-To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> To: freeipa-users@lists.fedorahosted.org Cc: Yevhen Syvachenko <sivache...@gmail.com> Subject: [Freeipa-users] How to set IPA RA key length Date: Wed, 10 Mar 2021 19:58:24 -0000 Hi, Pease help me to install FreeIPA that uses a 8192 bit key length for IPA RA and the hosts' certificates. Having all the rumor about quantum computers and being a certified paranoid I need to configure a backbone FreeIPA instance with CA key length equal to 15360. Other keys should be no less than 8192 bits. The following approach does the trick for most certificates except IPA RA and the hosts' certificates that are still 2048. # ipa-server-install --pki-config-override $PWD/pki_override.cfg Where pki_override.cfg is created using:# cat > pki_override.cfg <<EOF[DEFAULT]pki_admin_key_algorithm=SHA512withRSApki_admin_key_size=8 192pki_admin_key_type=rsapki_audit_signing_key_algorithm=SHA512withRSAp ki_audit_signing_key_size=15360pki_audit_signing_key_type=rsapki_audit_ signing_signing_algorithm=SHA512withRSApki_sslserver_key_algorithm=SHA5 12withRSApki_sslserver_signing_algorithm=SHA512withRSApki_sslserver_key _size=8192pki_sslserver_key_type=rsapki_subsystem_key_algorithm=SHA512w ithRSApki_subsystem_signing_algorithm=SHA512withRSApki_subsystem_key_si ze=15360pki_subsystem_key_type=rsa[CA]pki_ca_signing_key_algorithm=SHA5 12withRSApki_ca_signing_key_size=15360pki_ca_signing_key_type=rsapki_ca _signing_signing_algorithm=SHA512withRSApki_ocsp_signing_key_algorithm= SHA512withRSApki_ocsp_signing_key_size=15360pki_ocsp_signing_key_type=r sapki_ocsp_signing_signing_algorithm=SHA512withRSA[KRA]pki_storage_key_ algorithm=SHA512withRSApki_storage_key_size=15360pki_storage_key_type=r sapki_storage_signing_algorithm=SHA512withRSApki_transport_key_algorith m=SHA512withRSApki_transport_key_size=15360pki_transport_key_type=rsapk i_transport_signing_algorithm=SHA512withRSA[OCSP]pki_ocsp_signing_key_a lgorithm=SHA512withRSApki_ocsp_signing_key_size=15360pki_ocsp_signing_k ey_type=rsapki_ocsp_signing_signing_algorithm=SHA512withRSAEOF I will very appreciate it if we avoid debates about the necessary key length._______________________________________________FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
