As Admin, I want to set up FreeIPA with 16384-bit keys so that the configured system can survive the interim period before post-quantum cryptography is available.
While having all that rumour about quantum computers we still lack a standard for post-quantum cryptography, as far as I know. Increasing RSA key lengths may leverage the existing infrastructure in the interim because many experts suspect technical issues with building quantum computers handling long keys.
PGP related projects have made a decision, and e.g. GPG supports up to 8192 bits, while suggest generating 4096-bit keys. Their 'world' is quite specific as there are a lot of dongles and battery-powered devices that aims to generate, store and process PGP keys originated from any Internet user.
OpenSSL starts showing a warning when generating 32768-bit keys and larger but still allows to generate even 65536-bit keys (maybe even more, I have not tested).
In FreeIPA and Dogtag 'world,' we do not have issues with low-power devices and what is most important we aim to build an isolated infrastructure for specific needs. Personally, I can see a benefit in configuring FreeIPA with 16384 key lengths for backbone FreeIPA systems.
# cat > pki_override.cfg <<EOF [DEFAULT] pki_admin_key_size=8192 pki_audit_signing_key_size=15360 pki_sslserver_key_size=8192 pki_subsystem_key_size=15360 [CA] pki_ca_signing_key_size=15360 pki_ocsp_signing_key_size=15360 [KRA] pki_storage_key_size=15360 pki_transport_key_size=15360 [OCSP] pki_ocsp_signing_key_size=15360 EOF
# ipa-server-install --pki-config-override $PWD/pki_override.cfg
# ipa-getcert request -G rsa -g 15360 -K host/`hostname` -D `hostname` -k /etc/pki/tls/private/cert.key -f /etc/pki/tls/private/cert.crt
IPA is installed successfully, but only certificates generated by Dogtag have the necessary key length. IPA-requested certificates have the default key length (e.g. IPA RA has 2048 bits).
ipa-getcert cannot generate certificates with long keys:
# ipa-getcert list <truncated> Request ID '20210328010831': status: CA_UNREACHABLE ca-error: Server at https://example.com/ipa/json failed request, will retry: 4301 (Certificate operation cannot be completed: Key Parameters 1024,2048,3072,4096,8192 Not Matched). stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/cert.key' certificate: type=FILE,location='/etc/pki/tls/private/cert.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes
It is possible to specify a key length for certificates requested by IPA. ipa-getcert can request keys up to 16384 inclusive.
ipa-server-4.9.0-1.module_el8.4.0+639+a88aab78.x86_64 ipa-client-4.9.0-1.module_el8.4.0+639+a88aab78.x86_64 389-ds-base-1.4.3.16-8.module_el8.4.0+644+ed25d39e.x86_64 pki-ca-10.10.5-1.module_el8.4.0+714+bdc526ac.noarch krb5-server-1.18.2-8.el8.x86_64
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5640
Login to comment on this ticket.