Dne 26.9.2014 v 12:02 Martin Kosek napsal(a):
On 09/23/2014 11:46 AM, Jan Cholasta wrote:
Dne 6.8.2014 v 18:17 Jan Cholasta napsal(a):
Dne 6.8.2014 v 14:43 Rob Crittenden napsal(a):
Jan Cholasta wrote:
Hi,
the attached patch fixes
<https://fedorahosted.org/freeipa/ticket/4447>.
+ cert_group.add_option("--ca-key-algorithm",
dest="ca_key_algorithm",
+ help="Key algorithm of the IPA CA certificate
(default SHA256withRSA)")
Why not set the default here rather than later?
CA-related defaults should be internalized in CA-related code IMHO.
Should the list of options be added to the man page as well?
Sure, why not.
Do we want to support the MD*-based signing algorithms? I'd think not.
Since the reason this patch exists is to support old and/or broken
external CAs, I would think yes, but I don't have a strong opinion on
this.
Turns out Dogtag does not like them, so I removed them.
Seeing the context makes me wonder if we should eventually add options
for CA key size and signing alg as well.
rob
Updated patch attached.
I tested the patch (it works fine with Dogtag 10), but I got very confused.
What CA option are we setting? Signing algorithm or Key Algorithm? I
thought we are only setting Signing algorithm, but in that case:
We are setting key algorithm for the CA signing key.
- --ca-key-algorithm option should rather read --ca-signing-key-algorithm
If you want to emphasize that it is actually the algorithm used to sign
the CA certificate, the option should read
--ca-certificate-signature-algorithm, but I would rather stick to Dogtag
terminology and keep the string "key algorithm" in the name.
- Dogtag9 update should only set --signing_algorithm and not
--key_algorithm
It should not, because then *all* the certificates issued by the CA
would use that algorithm, instead of just the CA certificate.
- man page should also be updated with proper explanation.
And that would be?
Martin
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel