<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/16/2013 06:05 AM, mees virk wrote:
<blockquote cite="mid:BLU175-W8A99B5A6A8731F6FC5E1FC4260@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr">Hello all,<br>
<br>
Is it possible to setup the FreeIPA's CA use ECC cryptographic
methods (ECDSA & co) instead of RSA? That includes
generating ECC CA certificates, and so on.<br>
<br>
I don't think I was given any option towards this in the default
installation process. Would appreciate instructions and/or
pointers towards this. <br>
<br>
Also, can the default generated RSA CA switched later to
ECC/ECDSA?<br>
<br>
Why doesn't the CA allow cross-signing (RSA/ECDSA hybrid
keychains) certificates? It seems to validate the types,
although it is not strictly forbidden as crypthographic practice
(mostly just inconvenient, but it's legal). I gave the CA ECC
CSR (generated by openSSL on one of the servers), and to my
amazement it failed to sign it properly complaining about the
type not being RSA.<br>
<br>
</div>
</blockquote>
<br>
IPA uses NSS, NSS support of ECC algorithms is very fresh, we have
not looked at this area yet.<br>
I suspect it would require changes in Dogtag first.<br>
<br>
Would be best if you can file and RFE ticket, then we would be able
to follow up.<br>
<br>
<blockquote cite="mid:BLU175-W8A99B5A6A8731F6FC5E1FC4260@phx.gbl"
type="cite">
<div dir="ltr"> </div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>