Key length - how to change
dracorp opened this issue · comments
I'm using ansible-freeipa 1.12.1 installed on Redhat9 with external_ca option.
I got a csr for IPA server but I cannot obtain certificate because of key length:
openssl req -in ipa.csr -noout -text | grep "Public-Key"
Public-Key: (3072 bit)
My CA rejects CSRs with "invalid" length.
I need 4096 key length. How I can change this or can I supply my own csr to ansible playbook?
My playbook:
---
- name: Playbook to configure IPA server Step 1
hosts: ipaserver
become: true
vars_files:
- playbook_sensitive_data.yml
vars:
ipaserver_external_ca: yes
roles:
- role: ipaserver
state: present
post_tasks:
- name: Copy CSR /root/ipa.csr from node to "{{ groups.ipaserver[0] + '-ipa.csr' }}"
fetch:
src: /root/ipa.csr
dest: "{{ groups.ipaserver[0] + '-ipa.csr' }}"
flat: yes
With options:
ipaserver_setup_dns=no
ipaserver_external_ca=yes
I would like to use ansible playbook instead of ipa-server-install:
https://frasertweedale.github.io/blog-redhat/posts/2020-01-28-freeipa-override-ca-key-size.html
I think it is needed to follow that guide also for ipaserver role:
- Create
pki_override.cfg
on the target - Set
ipaserver_pki_config_override
in the inventory or playbook to point to the full path of the file on the target. - Deploy using the ipaserver role
Hi @t-woerner
I missed also this ipaserver_dirsrv_cert_files and ipaserver_http_cert_files. I've created a new private key file and proper csr, with own fields.
Thank you.