[Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install
Jan Cholasta
jcholast at redhat.com
Tue Sep 23 09:46:09 UTC 2014
Dne 6.8.2014 v 18:17 Jan Cholasta napsal(a):
> Dne 6.8.2014 v 14:43 Rob Crittenden napsal(a):
>> Jan Cholasta wrote:
>>> Hi,
>>>
>>> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4447>.
>>>
>>
>>
>> + cert_group.add_option("--ca-key-algorithm", dest="ca_key_algorithm",
>> + help="Key algorithm of the IPA CA certificate
>> (default SHA256withRSA)")
>>
>> Why not set the default here rather than later?
>
> CA-related defaults should be internalized in CA-related code IMHO.
>
>>
>> Should the list of options be added to the man page as well?
>
> Sure, why not.
>
>>
>> Do we want to support the MD*-based signing algorithms? I'd think not.
>
> Since the reason this patch exists is to support old and/or broken
> external CAs, I would think yes, but I don't have a strong opinion on this.
Turns out Dogtag does not like them, so I removed them.
>
>>
>> Seeing the context makes me wonder if we should eventually add options
>> for CA key size and signing alg as well.
>>
>> rob
>>
>
>
Updated patch attached.
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-314.1-Allow-specifying-key-algorithm-of-the-IPA-CA-cert-in.patch
Type: text/x-patch
Size: 5753 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140923/2db4f530/attachment.bin>
More information about the Freeipa-devel
mailing list