Yevhen Syvachenko via FreeIPA-users wrote: > Hi, > > Pease help me to install FreeIPA that uses a 8192 bit key length for IPA RA > and the hosts' certificates. > > Having all the rumor about quantum computers and being a certified paranoid I > need to configure a backbone FreeIPA instance with CA key length equal to > 15360. Other keys should be no less than 8192 bits. > > The following approach does the trick for most certificates except IPA RA and > the hosts' certificates that are still 2048. > > # ipa-server-install --pki-config-override $PWD/pki_override.cfg
These other certs are obtained via certmonger. If a key size isn't requested then certmonger uses the default, compiled-in size, of 2048. It would be straightforward to use ipa-getcert rekey to replace the Apache, LDAP and PKINIT certs. I'm not 100% sure about the RA cert. custodia handles distributing it to new CAs but I'm not entirely sure if anything manual is needed for it to recognize a new private key. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
