Hello all,


Is it possible to setup the FreeIPA's CA use ECC cryptographic methods (ECDSA & 
co)  instead of RSA? That includes generating ECC CA certificates, and so on.


I don't think I was given any option towards this in the default installation 
process. Would appreciate instructions and/or pointers towards this. 


Also, can the default generated RSA CA switched later to ECC/ECDSA?


Why doesn't the CA allow cross-signing (RSA/ECDSA hybrid keychains) 
certificates? It seems to validate the types, although it is not strictly 
forbidden as crypthographic practice (mostly just inconvenient, but it's 
legal). I gave the CA ECC CSR (generated by openSSL on one of the servers), and 
to my amazement it failed to sign it properly complaining about the type not 
being RSA.

Freeipa-users mailing list

Reply via email to