Алексей Иванов via FreeIPA-users wrote:
Greetings,
During installation process I used following pki_override.cfg file
[DEFAULT] pki_admin_key_algorithm=SHA512withRSA pki_admin_key_size=8192 pki_audit_signing_key_algorithm=SHA512withRSA pki_audit_signing_key_size=8192 pki_audit_signing_key_type=rsa pki_audit_signing_signing_algorithm=SHA512withRSA pki_ssl_server_key_algorithm=SHA512withRSA pki_ssl_server_key_size=8192 pki_sslserver_signing_algorithm=SHA512withRSA pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_signing_algorithm=SHA512withRSA pki_subsystem_key_size=8192 [CA] pki_ca_signing_key_size=8192 pki_ca_signing_key_algorithm=SHA512withRSA pki_ca_signing_signing_algorithm=SHA512withRSA pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=8192 pki_ocsp_signing_signing_algorithm=SHA512withRSA [KRA] pki_storage_key_algorithm=SHA512withRSA pki_storage_key_size=8192 pki_storage_signing_algorithm=SHA512withRSA pki_transport_key_algorithm=SHA512withRSA pki_transport_key_size=8192 pki_transport_signing_algorithm=SHA512withRSA [OCSP] pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=8192 pki_ocsp_signing_signing_algorithm=SHA512hRSA
This lead to the following error when I'm trying to add subCA
Request failed with status 400: Non-2xx response from CA REST API: 400. Failed to issue CA certificate. Final status: rejected. Additional info: Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched
By default we have three certificate profiles caIPAserviceCert, KDCs_PKINIT_Certs, IECUserRoles but changing them does not fix this error. Could you please tell me where I can find a subCA certificate template?
Look in /var/log/pki/pki-tomcat/ca/debug-<date> and it should tell you the profile it used.
At one point subCA keys were hardcoded at 2048. I don't know if that is still the case.
8k keys everywhere are going to tank performance, particularly the 8k server-cert key.
rob