Provide profile component that accepts multiple key types

[flo-renaud]

Add a new profile component that allows multiple key types with a single profile.

• The component should allow restricting the key types and sizes. For example, you could still use to create an EC-only or RSA-only profile.
• The component should recognise all key types and curves that are implemented in Dogtag/JSS.

After implementation:

• we should evaluate which bundled profiles (if any) should be migrated to the new profile
• IPA profiles should be migrated
• Documentation and examples should be migrated, where appropriate (e.g. EST and ACME configurations)

---

Historical description

Companion issue on freeipa side: https://pagure.io/freeipa/issue/9298

When using the latest certbot package (2.1.0-1.fc37, currently available in updates-testing repo), the ACME feature is not working. Test scenario:

• install ipa server with ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U
• enable acme: ipa-acme-manage enable
• install an ipa client with hostname client.ipa.test: ipa-client-install --domain ipa.test --realm IPA.TEST --principal admin --password Secret123 --ip-address <IP addr> -U
• register certbot: certbot --server https://ipa-ca.ipa.test/acme/directory register -m nobody@example.test --agree-tos --no-eff-email
• request a standalone cert: certbot --server https://ipa-ca.ipa.test/acme/directory certonly --domain client.ipa.test --standalone

The certonly step is failing, pki logs show an exception: Unable to generate certificate: Key Type RSA Not Matched

The main difference between certbot 1.32.0-1.fc37 and certbot 2.1.0-1.fc37 is that it creates an EDCSA key instead of an RSA key as can be seen in /var/log/letsencrypt/letsencrypt.log:

certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem

Please investigate if the issue is on PKI side or certbot.

[fmarco76]

Following certbot documentation they have modified the default key type from rsa to ecdsa. Is it possible to modify the key type with the option --key-type so it should work as before as a temporary solution?

[frasertweedale]

Yes, that is a temporary solution. But we should now prioritise work to either:

• Support multiple profiles for different key types, examine the CSR to discover its key type, then submit the request to the corresponding profile, or
• Implement new profile components that can accept different key types. Right now a profile can only be RSA, ECDSA or (obsolete) DSA. But there is no reason we can't implement a profile to handle multiple key types and in fact, it would be a nice improvement for both users and administrators. The ACME profile would then have to be updated to use this new component rather than the existing key default/constraint components.

I prefer the latter approach but both are feasible. This consideration arises for EST also (another reason to prefer the second approach).

[ckelleyRH]

@edewata / @fmarco76 - did we raise a ticket for addressing this long-term on our side?

[edewata]

@ckelleyRH Could we use this ticket and maybe just change the title? I agree with @frasertweedale's suggestion on providing profiles that can support multiple key types.

[ckelleyRH]

As you like, works for me!

[frasertweedale]

I updated the title and description, as discussed.

[edewata]

@celestian