Re: [Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install

Fri, 26 Sep 2014 04:41:02 -0700 

Dne 26.9.2014 v 12:02 Martin Kosek napsal(a):

On 09/23/2014 11:46 AM, Jan Cholasta wrote:

Dne 6.8.2014 v 18:17 Jan Cholasta napsal(a):

Dne 6.8.2014 v 14:43 Rob Crittenden napsal(a):

Jan Cholasta wrote:

Hi,

the attached patch fixes
<https://fedorahosted.org/freeipa/ticket/4447>.




+    cert_group.add_option("--ca-key-algorithm",
dest="ca_key_algorithm",
+                      help="Key algorithm of the IPA CA certificate
(default SHA256withRSA)")

Why not set the default here rather than later?


CA-related defaults should be internalized in CA-related code IMHO.



Should the list of options be added to the man page as well?


Sure, why not.



Do we want to support the MD*-based signing algorithms? I'd think not.


Since the reason this patch exists is to support old and/or broken
external CAs, I would think yes, but I don't have a strong opinion on
this.


Turns out Dogtag does not like them, so I removed them.





Seeing the context makes me wonder if we should eventually add options
for CA key size and signing alg as well.

rob






Updated patch attached.



I tested the patch (it works fine with Dogtag 10), but I got very confused.

What CA option are we setting? Signing algorithm or Key Algorithm? I
thought we are only setting Signing algorithm, but in that case:


We are setting key algorithm for the CA signing key.



- --ca-key-algorithm option should rather read --ca-signing-key-algorithm
If you want to emphasize that it is actually the algorithm used to sign the CA certificate, the option should read --ca-certificate-signature-algorithm, but I would rather stick to Dogtag terminology and keep the string "key algorithm" in the name. 


- Dogtag9 update should only set --signing_algorithm and not
--key_algorithm
It should not, because then *all* the certificates issued by the CA would use that algorithm, instead of just the CA certificate. 


- man page should also be updated with proper explanation.


And that would be?



Martin



--
Jan Cholasta

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to