When trying to create a signed certificate for my firewall, which can not register itself with the FreeIPA domain, I opted to create an 8192 bit key. Because cert-request does not permit 8192 bit 'Ultra' keys the user is restricted to using a maximum key of 4096 bits. Given that the tooling permits the creation of a key, it should also permit the use of it.
$ ipa --version VERSION: 4.3.2, API_VERSION: 2.164 $ ipa host-add host.example.com $ ipa service-add HTTP/host.example.com $ ipa-getkeytab -s ipa.example.com -p HTTP/host.example.com -k host.keytab $ cat << _EOF_ >server.tmpl > cn = "host.example.com" > signing_key > tls_www_server > encryption_key > _EOF_ $ certtool --generate-privkey --outfile host.pem --bits=8192 ** Note: You may use '--sec-param Ultra' instead of '--bits 8192' Generating a 8192 bit RSA private key... $ certtool --generate-request --load-privkey host.pem --outfile host.csr --template server.tmpl Generating a PKCS #10 certificate request... Self signature: verified $ ipa cert-request --principal HTTP/host.example.com host.csr ipa: ERROR: Certificate operation cannot be completed: unknown(3) (Request 13 Rejected - Key Parameters 1024,2048,3072,4096 Not Matched)
In general just because some tool can generate a CSR with a given value doesn't mean that a CA will honor the request.
The error you're seeing is not cert-request it is the CA configuration.
In this case the CA profile caIPAserviceCert is configured to only issue certs with RSA keys in sizes of 1024,2048,3072 and 4096.
Note that with an 8K RSA key you'd be looking at extremely low SSL performance, I'm guessing on the order of 50 ops/second on modern hardware (Intel i7)
Metadata Update from @pingramau: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @mbasti: - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
You can modify the certificate profile - or add a new one - to allow 8192-bit keys. The parameter of interest is:
policyset.<name>.<n>.constraint.params.keyParameters=1024,2048,3072,4096,8192
I added the ",8192" to the config, updated the profile, and then was able to request a certificate with 8192-bit key, no worries.
Going to close this notabug/invalid.
@ftweedal IIUC scope of this ticket it to add ",8192" to allowed key sizes by default. See the oddly formatted comment from pvoborni (https://pagure.io/freeipa/issue/6319#comment-328482).
@dkupka Hm, ok. (My brain had a parse error on the malformed comment and ignored it!) If it's wanted for new installs only, it's a one-liner. I'll submit a PR tomorrow or later tonight.
master:
ipa-4-5:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.