IPA CA is created with 2048-bit key and there is no way to override this during installation.
Allow IPA to be deployed with 4096-bit key. Presumably, key size should be customisable within reasonable-for-today limits, e.g. {2048, 3072, 4096, 8192, 16384}. Exactly what should be allowed is up for discussion.
Update 2019-04-29: Clarify that 3084-bit default is chosen.
Being able to use ECC instead of RSA for the IPA CA cert would be nice too.
@bja there's already a ticket for that: https://pagure.io/freeipa/issue/3951
(They could be be tackled at the same time, modulo other stuff breaking/not supporting ECC).
Metadata Update from @pvoborni: - Custom field rhbz adjusted to todo - Issue set to the milestone: FreeIPA 4.7 - Issue tagged with: rfe
We might also consider making it default.
Metadata Update from @ftweedal: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1598708 (was: todo)
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
PR to default to 4096 key as a starting point: https://github.com/freeipa/freeipa/pull/2290
A 4096bit RSA key is rather slow and uncommon. I haven't seen any public CA in the CA/B forum that has a 4096 RSA key. NIST Special Publication 800-57 Part 3 Revision 1 recommends 2048bit RSA keys for all purposes and suggests either 2048 or 3072bit RSA keys for CA and OCSP. The wikipedia article on key size https://en.wikipedia.org/wiki/Key_size#Asymmetric_algorithm_key_lengths suggests that 2048 is fine until 2030. On the same page, NSA recommends 3072bit RSA.
Let's ask our crypto team first before we bump the default to something slow.
@cheimes, this activity is due to a recent discussion with our crypto team. FUTURE profile in crypto-policies in Fedora requires RSA 3072, indeed.
The purpose of the pull request (https://github.com/freeipa/freeipa/pull/2291, I had to open a new one to get around Github's sorting issues for commits) was to find out whether we have hard-coded assumptions in the code that prevent us from changing 2048 bit RSA to something larger. And yes, we have issues.
CA certificate renewal (using external CA) in ipa-cacert-manage renew produces a CSR with hard-coded 2048 bit key size even if you set up IPA CA with something larger (I used 4096 in the PR). This breaks External CA tests because ipa-cacert-manage renew is not accepting new signed CA public certificate as it becomes different to the original one (4096 vs 2048).
ipa-cacert-manage renew
I believe I fixed most of the test to avoid hard-coding 2048 for CA specifically. We now use named constants from ipalib.constants to refer to our current choice of the crypto parameters. What exact parameters will be there depends on what we want to default on.
ipalib.constants
(commented too fast about SHA384 support in Dogtag profiles).
We decided to bump the CA key size to 3072 instead of 4096 because it's the recommended size by NIST and 4096 is considerable slower. Here are some speed tests on an Intel i7-6820HQ. The test is single threaded and runs with 3.6 GHz Turbo Boost.
$ openssl speed rsa2048 rsa3072 rsa4096 Doing 2048 bits private rsa's for 10s: 15169 2048 bits private RSA's in 9.98s Doing 2048 bits public rsa's for 10s: 511245 2048 bits public RSA's in 9.98s Doing 3072 bits private rsa's for 10s: 5025 3072 bits private RSA's in 9.98s Doing 3072 bits public rsa's for 10s: 250935 3072 bits public RSA's in 9.98s Doing 4096 bits private rsa's for 10s: 2260 4096 bits private RSA's in 9.98s Doing 4096 bits public rsa's for 10s: 146799 4096 bits public RSA's in 9.98s OpenSSL 1.1.1b FIPS 26 Feb 2019 built on: Fri Mar 15 16:10:28 2019 UTC options:bn(64,64) md2(char) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" sign verify sign/s verify/s rsa 2048 bits 0.000658s 0.000020s 1519.9 51227.0 rsa 3072 bits 0.001986s 0.000040s 503.5 25143.8 rsa 4096 bits 0.004416s 0.000068s 226.5 14709.3
master:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.