[Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install
Jan Cholasta
jcholast at redhat.com
Wed Aug 6 16:17:42 UTC 2014
Dne 6.8.2014 v 14:43 Rob Crittenden napsal(a):
> Jan Cholasta wrote:
>> Hi,
>>
>> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4447>.
>>
>
>
> + cert_group.add_option("--ca-key-algorithm", dest="ca_key_algorithm",
> + help="Key algorithm of the IPA CA certificate
> (default SHA256withRSA)")
>
> Why not set the default here rather than later?
CA-related defaults should be internalized in CA-related code IMHO.
>
> Should the list of options be added to the man page as well?
Sure, why not.
>
> Do we want to support the MD*-based signing algorithms? I'd think not.
Since the reason this patch exists is to support old and/or broken
external CAs, I would think yes, but I don't have a strong opinion on this.
>
> Seeing the context makes me wonder if we should eventually add options
> for CA key size and signing alg as well.
>
> rob
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list