Description of problem:
1] Customer want to install ipa on rhel8.4 by using update-crypto-policies --set FUTURE.

2] Though we know that This level also provides some (not complete) preparation for post-quantum encryption support in form of 256-bit symmetric encryption requirement. The RSA and Diffie-Hellman parameters are accepted if larger than 3071 bits. The level provides at least 128-bit security.

3] so we have tried to set

/root/pki_override.cfg

[CA]
pki_admin_key_size = 4096
pki_admin_keysize = 4096
pki_audit_signing_key_size = 4096
pki_ca_signing_key_size = 4096
pki_ocsp_signing_key_size = 4096
pki_ssl_server_key_size = 4096
pki_sslserver_key_size = 4096
pki_storage_key_size = 4096
pki_subsystem_key_size = 4096
pki_transport_key_size = 4096
and pass it to ipa-server-install via --pki-config-override /root/pki_override.cfg

After that it will fail on the last remaining key that is being created as 2048 which is

/var/lib/ipa/ra-agent.key
/var/lib/ipa/ra-agent.pem

Version-Release number of selected component (if applicable):

IPA Version: ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64
Pki Version: pki-ca-10.10.5-3.module+el8.4.0+11039+635979e4.noarch

How reproducible:

Steps to Reproduce:
1.ipa-server-install fails on the below given error

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 1945, in import_included_profiles
conn.get_entry(dn)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1642, in get_entry
size_limit=size_limit, get_effective_rights=get_effective_rights,
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1454, in get_entries
**kwargs)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1592, in find_entries
break
File "/usr/lib64/python3.6/contextlib.py", line 99, in _exit_
self.gen.throw(type, value, traceback)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1095, in error_handler
raise errors.NotFound(reason=arg_desc or 'no such entry')
ipalib.errors.NotFound: no such entry

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request
conn = connection_factory(host, port, **connection_options)
File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory
tls_version_max=api.env.tls_version_max)
File "/usr/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection
ctx.load_cert_chain(client_certfile, client_keyfile, passwd)
ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) <<<<<==========

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request
conn = connection_factory(host, port, **connection_options)
File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory
tls_version_max=api.env.tls_version_max)
File "/usr/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection
ctx.load_cert_chain(client_certfile, client_keyfile, passwd)
ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) <<<===========

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 1959, in import_included_profiles
_create_dogtag_profile(profile_id, profile_data, overwrite=True)
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2127, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1199, in _enter_
method='GET'
File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 209, in https_request
method=method, headers=headers)
File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request
raise NetworkError(uri=uri, error=str(e))
ipalib.errors.NetworkError: cannot connect to 'https://idm.test.example.com:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) <<<<=================

2021-06-15T18:09:37Z DEBUG [error] NetworkError: cannot connect to 'https://idm.test.example.com:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)
2021-06-15T18:09:37Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
2021-06-15T18:09:37Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run
return cfgr.run()

And finally it failed at

File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 209, in https_request
method=method, headers=headers)
File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request
raise NetworkError(uri=uri, error=str(e))

2021-06-15T18:09:37Z DEBUG The ipa-server-install command failed, exception: NetworkError: cannot connect to 'https://idm.test.example.com:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)
2021-06-15T18:09:37Z ERROR cannot connect to 'https://idm.test.example.com:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)
2021-06-15T18:09:37Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

2.
3.

Actual results: Ipa installation is failing with --pki-config-override option

Expected results: Ipa should install via --pki-config-override /root/pki_override.cfg

Additional info: