Key length - how to change

[dracorp]

I'm using ansible-freeipa 1.12.1 installed on Redhat9 with external_ca option. I got a csr for IPA server but I cannot obtain certificate because of key length:

openssl req -in ipa.csr -noout -text | grep "Public-Key"
                Public-Key: (3072 bit)

My CA rejects CSRs with "invalid" length. I need 4096 key length. How I can change this or can I supply my own csr to ansible playbook?

My playbook:

---
- name: Playbook to configure IPA server Step 1
  hosts: ipaserver
  become: true
  vars_files:
  - playbook_sensitive_data.yml
  vars:
    ipaserver_external_ca: yes

  roles:
  - role: ipaserver
    state: present

  post_tasks:
  - name: Copy CSR /root/ipa.csr from node to "{{ groups.ipaserver[0] + '-ipa.csr' }}"
    fetch:
      src: /root/ipa.csr
      dest: "{{ groups.ipaserver[0] + '-ipa.csr' }}"
      flat: yes

With options:

ipaserver_setup_dns=no
ipaserver_external_ca=yes

[dracorp]

I would like to use ansible playbook instead of ipa-server-install: https://frasertweedale.github.io/blog-redhat/posts/2020-01-28-freeipa-override-ca-key-size.html

[t-woerner]

I think it is needed to follow that guide also for ipaserver role: 1) Create pki_override.cfg on the target 2) Set ipaserver_pki_config_override in the inventory or playbook to point to the full path of the file on the target. 3) Deploy using the ipaserver role

[dracorp]

Hi @t-woerner I missed also this ipaserver_dirsrv_cert_files and ipaserver_http_cert_files. I've created a new private key file and proper csr, with own fields. Thank you.