[Freeipa-users] Elliptic curves with the CA
Simo Sorce
simo at redhat.com
Mon Sep 16 20:53:58 UTC 2013
On Mon, 2013-09-16 at 13:05 +0300, mees virk wrote:
> Hello all,
>
> Is it possible to setup the FreeIPA's CA use ECC cryptographic
> methods (ECDSA & co) instead of RSA? That includes generating ECC CA
> certificates, and so on.
At the moment our code (dogtag and nss) does not support ECC crypto.
I will let Dogtag developers chime in fopr when they plan to introduce
ECC based crypto in the codebase.
Simo.
> I don't think I was given any option towards this in the default
> installation process. Would appreciate instructions and/or pointers
> towards this.
>
> Also, can the default generated RSA CA switched later to ECC/ECDSA?
>
> Why doesn't the CA allow cross-signing (RSA/ECDSA hybrid keychains)
> certificates? It seems to validate the types, although it is not
> strictly forbidden as crypthographic practice (mostly just
> inconvenient, but it's legal). I gave the CA ECC CSR (generated by
> openSSL on one of the servers), and to my amazement it failed to sign
> it properly complaining about the type not being RSA.
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list