Request for enhancement

As Admin, I want to set up FreeIPA with 16384-bit keys so that the configured system can survive the interim period before post-quantum cryptography is available.

Issue

While having all that rumour about quantum computers we still lack a standard for post-quantum cryptography, as far as I know. Increasing RSA key lengths may leverage the existing infrastructure in the interim because many experts suspect technical issues with building quantum computers handling long keys.

PGP related projects have made a decision, and e.g. GPG supports up to 8192 bits, while suggest generating 4096-bit keys. Their 'world' is quite specific as there are a lot of dongles and battery-powered devices that aims to generate, store and process PGP keys originated from any Internet user.

OpenSSL starts showing a warning when generating 32768-bit keys and larger but still allows to generate even 65536-bit keys (maybe even more, I have not tested).

In FreeIPA and Dogtag 'world,' we do not have issues with low-power devices and what is most important we aim to build an isolated infrastructure for specific needs. Personally, I can see a benefit in configuring FreeIPA with 16384 key lengths for backbone FreeIPA systems.

Steps to Reproduce

• Create a pki_override.cfg file to override Dogtag settings (some keys cannot be set to 15360, because of certutil limitation, that is out of scope for now):

# cat > pki_override.cfg <<EOF
[DEFAULT]
pki_admin_key_size=8192 
pki_audit_signing_key_size=15360
pki_sslserver_key_size=8192 
pki_subsystem_key_size=15360
[CA]
pki_ca_signing_key_size=15360
pki_ocsp_signing_key_size=15360
[KRA]
pki_storage_key_size=15360
pki_transport_key_size=15360
[OCSP]
pki_ocsp_signing_key_size=15360
EOF

• Install FreeIPA

# ipa-server-install --pki-config-override $PWD/pki_override.cfg

• Try to generate some certificate with

# ipa-getcert request -G rsa -g 15360 -K host/`hostname` -D `hostname` -k /etc/pki/tls/private/cert.key -f /etc/pki/tls/private/cert.crt

Actual behavior

IPA is installed successfully, but only certificates generated by Dogtag have the necessary key length. IPA-requested certificates have the default key length (e.g. IPA RA has 2048 bits).

ipa-getcert cannot generate certificates with long keys:

# ipa-getcert list
<truncated>
Request ID '20210328010831':
        status: CA_UNREACHABLE
        ca-error: Server at https://example.com/ipa/json failed request, will retry: 4301 (Certificate operation cannot be completed: Key Parameters 1024,2048,3072,4096,8192 Not Matched).
        stuck: no
        key pair storage: type=FILE,location='/etc/pki/tls/private/cert.key'
        certificate: type=FILE,location='/etc/pki/tls/private/cert.crt'
        CA: IPA
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Expected behavior

It is possible to specify a key length for certificates requested by IPA.
ipa-getcert can request keys up to 16384 inclusive.

Version/Release/Distribution

ipa-server-4.9.0-1.module_el8.4.0+639+a88aab78.x86_64
ipa-client-4.9.0-1.module_el8.4.0+639+a88aab78.x86_64
389-ds-base-1.4.3.16-8.module_el8.4.0+644+ed25d39e.x86_64
pki-ca-10.10.5-1.module_el8.4.0+714+bdc526ac.noarch
krb5-server-1.18.2-8.el8.x86_64