#6790 [RFE] Allow creating IPA CA with 3072-bit key.
Closed: fixed a year ago by cheimes. Opened 3 years ago by ftweedal.

IPA CA is created with 2048-bit key and there is no way to override this
during installation.

Allow IPA to be deployed with 4096-bit key. Presumably, key size should be customisable within reasonable-for-today limits, e.g. {2048, 3072, 4096, 8192, 16384}. Exactly what should be allowed is up for discussion.

Update 2019-04-29: Clarify that 3084-bit default is chosen.

Being able to use ECC instead of RSA for the IPA CA cert would be nice too.

@bja there's already a ticket for that: https://pagure.io/freeipa/issue/3951

(They could be be tackled at the same time, modulo other stuff breaking/not supporting ECC).

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to todo
- Issue set to the milestone: FreeIPA 4.7
- Issue tagged with: rfe

3 years ago

We might also consider making it default.

Metadata Update from @ftweedal:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1598708 (was: todo)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

A 4096bit RSA key is rather slow and uncommon. I haven't seen any public CA in the CA/B forum that has a 4096 RSA key. NIST Special Publication 800-57 Part 3 Revision 1 recommends 2048bit RSA keys for all purposes and suggests either 2048 or 3072bit RSA keys for CA and OCSP. The wikipedia article on key size https://en.wikipedia.org/wiki/Key_size#Asymmetric_algorithm_key_lengths suggests that 2048 is fine until 2030. On the same page, NSA recommends 3072bit RSA.

Let's ask our crypto team first before we bump the default to something slow.

@cheimes, this activity is due to a recent discussion with our crypto team. FUTURE profile in crypto-policies in Fedora requires RSA 3072, indeed.

The purpose of the pull request (https://github.com/freeipa/freeipa/pull/2291, I had to open a new one to get around Github's sorting issues for commits) was to find out whether we have hard-coded assumptions in the code that prevent us from changing 2048 bit RSA to something larger. And yes, we have issues.

CA certificate renewal (using external CA) in ipa-cacert-manage renew produces a CSR with hard-coded 2048 bit key size even if you set up IPA CA with something larger (I used 4096 in the PR). This breaks External CA tests because ipa-cacert-manage renew is not accepting new signed CA public certificate as it becomes different to the original one (4096 vs 2048).

I believe I fixed most of the test to avoid hard-coding 2048 for CA specifically. We now use named constants from ipalib.constants to refer to our current choice of the crypto parameters. What exact parameters will be there depends on what we want to default on.

(commented too fast about SHA384 support in Dogtag profiles).

We decided to bump the CA key size to 3072 instead of 4096 because it's the recommended size by NIST and 4096 is considerable slower. Here are some speed tests on an Intel i7-6820HQ. The test is single threaded and runs with 3.6 GHz Turbo Boost.

$ openssl speed rsa2048 rsa3072 rsa4096
Doing 2048 bits private rsa's for 10s: 15169 2048 bits private RSA's in 9.98s
Doing 2048 bits public rsa's for 10s: 511245 2048 bits public RSA's in 9.98s
Doing 3072 bits private rsa's for 10s: 5025 3072 bits private RSA's in 9.98s
Doing 3072 bits public rsa's for 10s: 250935 3072 bits public RSA's in 9.98s
Doing 4096 bits private rsa's for 10s: 2260 4096 bits private RSA's in 9.98s
Doing 4096 bits public rsa's for 10s: 146799 4096 bits public RSA's in 9.98s
OpenSSL 1.1.1b FIPS  26 Feb 2019
built on: Fri Mar 15 16:10:28 2019 UTC
options:bn(64,64) md2(char) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.000658s 0.000020s   1519.9  51227.0
rsa 3072 bits 0.001986s 0.000040s    503.5  25143.8
rsa 4096 bits 0.004416s 0.000068s    226.5  14709.3


  • 45b8cc1 Increase default key size for CA to 3072 bits
  • 00a7868 Reuse key type and size in certmonger resubmit
  • 2bad9fd Explain why tests still use 2048bit external CA

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.