Dne 6.8.2014 v 14:43 Rob Crittenden napsal(a):
Jan Cholasta wrote:
the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4447>.
+ cert_group.add_option("--ca-key-algorithm", dest="ca_key_algorithm",
+ help="Key algorithm of the IPA CA certificate
Why not set the default here rather than later?
CA-related defaults should be internalized in CA-related code IMHO.
Should the list of options be added to the man page as well?
Sure, why not.
Do we want to support the MD*-based signing algorithms? I'd think not.
Since the reason this patch exists is to support old and/or broken
external CAs, I would think yes, but I don't have a strong opinion on this.
Seeing the context makes me wonder if we should eventually add options
for CA key size and signing alg as well.
Freeipa-devel mailing list