#6319 ipa cert-request limits key size to 1024,2048,3072,4096 bits
Closed: fixed 7 years ago Opened 8 years ago by pingramau.

When trying to create a signed certificate for my firewall, which can not register itself with the FreeIPA domain, I opted to create an 8192 bit key. Because cert-request does not permit 8192 bit 'Ultra' keys the user is restricted to using a maximum key of 4096 bits. Given that the tooling permits the creation of a key, it should also permit the use of it.

$ ipa --version
VERSION: 4.3.2, API_VERSION: 2.164



$ ipa host-add host.example.com
$ ipa service-add HTTP/host.example.com
$ ipa-getkeytab -s ipa.example.com -p HTTP/host.example.com -k host.keytab
$ cat << _EOF_ >server.tmpl
>   cn = "host.example.com"
>   signing_key
>   tls_www_server
>   encryption_key
> _EOF_
$ certtool --generate-privkey --outfile host.pem --bits=8192
** Note: You may use '--sec-param Ultra' instead of '--bits 8192'
Generating a 8192 bit RSA private key...
$ certtool --generate-request --load-privkey host.pem --outfile host.csr --template server.tmpl
Generating a PKCS #10 certificate request...
Self signature: verified



$ ipa cert-request --principal HTTP/host.example.com host.csr 
ipa: ERROR: Certificate operation cannot be completed: unknown(3) (Request 13 Rejected - Key Parameters 1024,2048,3072,4096 Not Matched)

In general just because some tool can generate a CSR with a given value doesn't mean that a CA will honor the request.

The error you're seeing is not cert-request it is the CA configuration.

In this case the CA profile caIPAserviceCert is configured to only issue certs with RSA keys in sizes of 1024,2048,3072 and 4096.

Note that with an 8K RSA key you'd be looking at extremely low SSL performance, I'm guessing on the order of 50 ops/second on modern hardware (Intel i7)

  • devmtg: 4.5 new installs only if special code is needed for upgrade (limit scope of the ticket)
  • blipton: If I read it correctly, current upgrade code will not change the profile if it already exists

Metadata Update from @pingramau:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5

7 years ago

Metadata Update from @mbasti:
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

7 years ago

You can modify the certificate profile - or add a new one - to allow 8192-bit keys.
The parameter of interest is:

policyset.<name>.<n>.constraint.params.keyParameters=1024,2048,3072,4096,8192

I added the ",8192" to the config, updated the profile, and then was able to request a certificate with 8192-bit key, no worries.

Going to close this notabug/invalid.

@ftweedal IIUC scope of this ticket it to add ",8192" to allowed key sizes by default. See the oddly formatted comment from pvoborni (https://pagure.io/freeipa/issue/6319#comment-328482).

@dkupka Hm, ok. (My brain had a parse error on the malformed comment and ignored it!) If it's wanted for new installs only, it's a one-liner. I'll submit a PR tomorrow or later tonight.

master:

  • 1530758 Support 8192-bit RSA keys in default cert profile

ipa-4-5:

  • 9118c08 Support 8192-bit RSA keys in default cert profile

Metadata Update from @tkrizek:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Log in to comment on this ticket.

Metadata