Jeffrey van Pelt via FreeIPA-users wrote:
Hi all,
Currently I'm setting up a FreeIPA instance on EL8 with the
crypto-policy set to FUTURE.
When running the ipa-server-install program, it errors out when setting
up the PKI infrastructure.
Below is the command I ran:
```
ipa-server-install --pki-config-override /root/freeipa_pki_override.cfg
--setup-adtrust -p Banana123! -a Banana123! -r
EXAMPLE.COM -U
```
As this command already shows, I already have some PKI override settings
to ensure all created keys are 4096 bits long:
```
[CA]
pki_ca_signing_key_size=4096
[DEFAULT]
pki_admin_key_size=4096
pki_audit_signing_key_size=4096
pki_sslserver_key_size=4096
pki_subsystem_key_size=4096
```
And even despite these settings, the command errors out giving me the
message as below:
```
..truncated..
[22/28]: enabling CA instance
[23/28]: migrating certificate profiles to LDAP
[24/28]: importing IPA certificate profiles
[error] NetworkError: cannot connect to
'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee
key too small (_ssl.c:3542)
cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL:
EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more
information
```
So _some_ certificate _somewhere_ is not strong enough, but I can't find
which one it is and how to ensure it's strengthened sufficiently.
When I check the log file it shows basically the same message (except
with a lot of Python stacktraces with 'NetworkError')
When I revert the crypto-policy back to DEFAULT the command as shown
above will succeed.
Anyone have a clue? :)
The RA agent certificate used by IPA is requested from certmonger
without specifying key size so it defaults to 2048 (hardcoded).
I added a setting in upstream certmonger to be able to modify this
default but it is not released yet.
On the IPA side, ipalib/install/certmonger.py::request_cert needs to be
able to take a key size argument and pass in KEY_SIZE in the certmonger
request. How that would tie into the rest of IPA is TBD as some default
would need to be set somewhere.
What problem are you trying to solve using FUTURE policy? 4k keys are
going to be quite slow.
rob