Dne 6.8.2014 v 14:43 Rob Crittenden napsal(a):
Jan Cholasta wrote:

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4447>.

+    cert_group.add_option("--ca-key-algorithm", dest="ca_key_algorithm",
+                      help="Key algorithm of the IPA CA certificate
(default SHA256withRSA)")

Why not set the default here rather than later?

CA-related defaults should be internalized in CA-related code IMHO.

Should the list of options be added to the man page as well?

Sure, why not.

Do we want to support the MD*-based signing algorithms? I'd think not.

Since the reason this patch exists is to support old and/or broken external CAs, I would think yes, but I don't have a strong opinion on this.

Seeing the context makes me wonder if we should eventually add options
for CA key size and signing alg as well.


Jan Cholasta

Freeipa-devel mailing list

Reply via email to