freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#6319 ipa cert-request limits key size to 1024,2048,3072,4096 bits

Created 6 months ago by pingramau
Modified 5 days ago

When trying to create a signed certificate for my firewall, which can not register itself with the FreeIPA domain, I opted to create an 8192 bit key. Because cert-request does not permit 8192 bit 'Ultra' keys the user is restricted to using a maximum key of 4096 bits. Given that the tooling permits the creation of a key, it should also permit the use of it.

$ ipa --version
VERSION: 4.3.2, API_VERSION: 2.164



$ ipa host-add host.example.com
$ ipa service-add HTTP/host.example.com
$ ipa-getkeytab -s ipa.example.com -p HTTP/host.example.com -k host.keytab
$ cat << _EOF_ >server.tmpl
>   cn = "host.example.com"
>   signing_key
>   tls_www_server
>   encryption_key
> _EOF_
$ certtool --generate-privkey --outfile host.pem --bits=8192
** Note: You may use '--sec-param Ultra' instead of '--bits 8192'
Generating a 8192 bit RSA private key...
$ certtool --generate-request --load-privkey host.pem --outfile host.csr --template server.tmpl
Generating a PKCS #10 certificate request...
Self signature: verified



$ ipa cert-request --principal HTTP/host.example.com host.csr 
ipa: ERROR: Certificate operation cannot be completed: unknown(3) (Request 13 Rejected - Key Parameters 1024,2048,3072,4096 Not Matched)

In general just because some tool can generate a CSR with a given value doesn't mean that a CA will honor the request.

The error you're seeing is not cert-request it is the CA configuration.

In this case the CA profile caIPAserviceCert is configured to only issue certs with RSA keys in sizes of 1024,2048,3072 and 4096.

Note that with an 8K RSA key you'd be looking at extremely low SSL performance, I'm guessing on the order of 50 ops/second on modern hardware (Intel i7)

  • devmtg: 4.5 new installs only if special code is needed for upgrade (limit scope of the ticket)
  • blipton: If I read it correctly, current upgrade code will not change the profile if it already exists
Edited 6 days ago by pvoborni
a month ago

Metadata Update from @pingramau:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5

11 days ago

Metadata Update from @mbasti:
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

You can modify the certificate profile - or add a new one - to allow 8192-bit keys.
The parameter of interest is:

policyset.<name>.<n>.constraint.params.keyParameters=1024,2048,3072,4096,8192

I added the ",8192" to the config, updated the profile, and then was able to request a certificate with 8192-bit key, no worries.

Going to close this notabug/invalid.

@ftweedal IIUC scope of this ticket it to add ",8192" to allowed key sizes by default. See the oddly formatted comment from pvoborni (https://pagure.io/freeipa/issue/6319#comment-328482).

@dkupka Hm, ok. (My brain had a parse error on the malformed comment and ignored it!) If it's wanted for new installs only, it's a one-liner. I'll submit a PR tomorrow or later tonight.

master:

  • 1530758475c2e21dd732581ff6816e03ca74dede Support 8192-bit RSA keys in default cert profile

ipa-4-5:

  • 9118c08455d42f4e7f43370be1a858595a60bc9a Support 8192-bit RSA keys in default cert profile
5 days ago

Metadata Update from @tkrizek:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

Login to comment on this ticket.

defect

IPA

0

cancel