[Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install

Jan Cholasta jcholast at redhat.com
Fri Sep 26 11:41:26 UTC 2014 

Dne 26.9.2014 v 12:02 Martin Kosek napsal(a):
> On 09/23/2014 11:46 AM, Jan Cholasta wrote:
>> Dne 6.8.2014 v 18:17 Jan Cholasta napsal(a):
>>> Dne 6.8.2014 v 14:43 Rob Crittenden napsal(a):
>>>> Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> the attached patch fixes
>>>>> <https://fedorahosted.org/freeipa/ticket/4447>.
>>>>>
>>>>
>>>>
>>>> +    cert_group.add_option("--ca-key-algorithm",
>>>> dest="ca_key_algorithm",
>>>> +                      help="Key algorithm of the IPA CA certificate
>>>> (default SHA256withRSA)")
>>>>
>>>> Why not set the default here rather than later?
>>>
>>> CA-related defaults should be internalized in CA-related code IMHO.
>>>
>>>>
>>>> Should the list of options be added to the man page as well?
>>>
>>> Sure, why not.
>>>
>>>>
>>>> Do we want to support the MD*-based signing algorithms? I'd think not.
>>>
>>> Since the reason this patch exists is to support old and/or broken
>>> external CAs, I would think yes, but I don't have a strong opinion on
>>> this.
>>
>> Turns out Dogtag does not like them, so I removed them.
>>
>>>
>>>>
>>>> Seeing the context makes me wonder if we should eventually add options
>>>> for CA key size and signing alg as well.
>>>>
>>>> rob
>>>>
>>>
>>>
>>
>> Updated patch attached.
>>
>
> I tested the patch (it works fine with Dogtag 10), but I got very confused.
>
> What CA option are we setting? Signing algorithm or Key Algorithm? I
> thought we are only setting Signing algorithm, but in that case:

We are setting key algorithm for the CA signing key.

>
> - --ca-key-algorithm option should rather read --ca-signing-key-algorithm

If you want to emphasize that it is actually the algorithm used to sign 
the CA certificate, the option should read 
--ca-certificate-signature-algorithm, but I would rather stick to Dogtag 
terminology and keep the string "key algorithm" in the name.

> - Dogtag9 update should only set --signing_algorithm and not
> --key_algorithm

It should not, because then *all* the certificates issued by the CA 
would use that algorithm, instead of just the CA certificate.

> - man page should also be updated with proper explanation.

And that would be?

>
> Martin


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list