[Freeipa-users] Elliptic curves with the CA
Dmitri Pal
dpal at redhat.com
Tue Sep 17 01:49:12 UTC 2013
On 09/16/2013 06:05 AM, mees virk wrote:
> Hello all,
>
> Is it possible to setup the FreeIPA's CA use ECC cryptographic
> methods (ECDSA & co) instead of RSA? That includes generating ECC CA
> certificates, and so on.
>
> I don't think I was given any option towards this in the default
> installation process. Would appreciate instructions and/or pointers
> towards this.
>
> Also, can the default generated RSA CA switched later to ECC/ECDSA?
>
> Why doesn't the CA allow cross-signing (RSA/ECDSA hybrid keychains)
> certificates? It seems to validate the types, although it is not
> strictly forbidden as crypthographic practice (mostly just
> inconvenient, but it's legal). I gave the CA ECC CSR (generated by
> openSSL on one of the servers), and to my amazement it failed to sign
> it properly complaining about the type not being RSA.
>
IPA uses NSS, NSS support of ECC algorithms is very fresh, we have not
looked at this area yet.
I suspect it would require changes in Dogtag first.
Would be best if you can file and RFE ticket, then we would be able to
follow up.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130916/258780e6/attachment.htm>
More information about the Freeipa-users
mailing list