Key length - how to change

Question

Key length - how to change

dracorp opened this issue 22 days ago · comments

I'm using ansible-freeipa 1.12.1 installed on Redhat9 with external_ca option.
I got a csr for IPA server but I cannot obtain certificate because of key length:

openssl req -in ipa.csr -noout -text | grep "Public-Key"
                Public-Key: (3072 bit)

My CA rejects CSRs with "invalid" length.
I need 4096 key length. How I can change this or can I supply my own csr to ansible playbook?

My playbook:

---
- name: Playbook to configure IPA server Step 1
  hosts: ipaserver
  become: true
  vars_files:
  - playbook_sensitive_data.yml
  vars:
    ipaserver_external_ca: yes

  roles:
  - role: ipaserver
    state: present

  post_tasks:
  - name: Copy CSR /root/ipa.csr from node to "{{ groups.ipaserver[0] + '-ipa.csr' }}"
    fetch:
      src: /root/ipa.csr
      dest: "{{ groups.ipaserver[0] + '-ipa.csr' }}"
      flat: yes

With options:

ipaserver_setup_dns=no
ipaserver_external_ca=yes

Piotr Rogoża · Answer 1 · Mon Jun 24 2024 20:55:17 GMT+0800 (China Standard Time)

I would like to use ansible playbook instead of ipa-server-install:
https://frasertweedale.github.io/blog-redhat/posts/2020-01-28-freeipa-override-ca-key-size.html

Thomas Woerner · Answer 2 · Tue Jun 25 2024 16:51:46 GMT+0800 (China Standard Time)

I think it is needed to follow that guide also for ipaserver role:

Create pki_override.cfg on the target
Set ipaserver_pki_config_override in the inventory or playbook to point to the full path of the file on the target.
Deploy using the ipaserver role

Piotr Rogoża · Answer 3 · Tue Jun 25 2024 17:19:53 GMT+0800 (China Standard Time)

Hi @t-woerner
I missed also this ipaserver_dirsrv_cert_files and ipaserver_http_cert_files. I've created a new private key file and proper csr, with own fields.
Thank you.