[Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install
Martin Kosek
mkosek at redhat.com
Fri Sep 26 10:02:32 UTC 2014
On 09/23/2014 11:46 AM, Jan Cholasta wrote:
> Dne 6.8.2014 v 18:17 Jan Cholasta napsal(a):
>> Dne 6.8.2014 v 14:43 Rob Crittenden napsal(a):
>>> Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4447>.
>>>>
>>>
>>>
>>> + cert_group.add_option("--ca-key-algorithm", dest="ca_key_algorithm",
>>> + help="Key algorithm of the IPA CA certificate
>>> (default SHA256withRSA)")
>>>
>>> Why not set the default here rather than later?
>>
>> CA-related defaults should be internalized in CA-related code IMHO.
>>
>>>
>>> Should the list of options be added to the man page as well?
>>
>> Sure, why not.
>>
>>>
>>> Do we want to support the MD*-based signing algorithms? I'd think not.
>>
>> Since the reason this patch exists is to support old and/or broken
>> external CAs, I would think yes, but I don't have a strong opinion on this.
>
> Turns out Dogtag does not like them, so I removed them.
>
>>
>>>
>>> Seeing the context makes me wonder if we should eventually add options
>>> for CA key size and signing alg as well.
>>>
>>> rob
>>>
>>
>>
>
> Updated patch attached.
>
I tested the patch (it works fine with Dogtag 10), but I got very confused.
What CA option are we setting? Signing algorithm or Key Algorithm? I thought we
are only setting Signing algorithm, but in that case:
- --ca-key-algorithm option should rather read --ca-signing-key-algorithm
- Dogtag9 update should only set --signing_algorithm and not --key_algorithm
- man page should also be updated with proper explanation.
Martin
More information about the Freeipa-devel
mailing list