On 09/23/2014 11:46 AM, Jan Cholasta wrote:
Dne 6.8.2014 v 18:17 Jan Cholasta napsal(a):
Dne 6.8.2014 v 14:43 Rob Crittenden napsal(a):
Jan Cholasta wrote:
Hi,
the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4447>.
+ cert_group.add_option("--ca-key-algorithm", dest="ca_key_algorithm",
+ help="Key algorithm of the IPA CA certificate
(default SHA256withRSA)")
Why not set the default here rather than later?
CA-related defaults should be internalized in CA-related code IMHO.
Should the list of options be added to the man page as well?
Sure, why not.
Do we want to support the MD*-based signing algorithms? I'd think not.
Since the reason this patch exists is to support old and/or broken
external CAs, I would think yes, but I don't have a strong opinion on this.
Turns out Dogtag does not like them, so I removed them.
Seeing the context makes me wonder if we should eventually add options
for CA key size and signing alg as well.
rob
Updated patch attached.
I tested the patch (it works fine with Dogtag 10), but I got very confused.
What CA option are we setting? Signing algorithm or Key Algorithm? I thought we
are only setting Signing algorithm, but in that case:
- --ca-key-algorithm option should rather read --ca-signing-key-algorithm
- Dogtag9 update should only set --signing_algorithm and not --key_algorithm
- man page should also be updated with proper explanation.
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
