pki-bot
commented
3 years ago Comment from mharmsen (@mharmsen) at 2016-01-27 01:21:55
Lightweight CA should be covered as a new feature on Idm side
Open pki-bot opened 3 years ago
pki-bot
commented
3 years ago Comment from mharmsen (@mharmsen) at 2016-01-27 01:21:55
Lightweight CA should be covered as a new feature on Idm side
pki-bot
commented
3 years ago Comment from ftweedal (@frasertweedale) at 2016-04-21 01:55:13
Moving to 10.3.1.
Will probably make this ticket for RSA key size only and file a new ticket for EC support once that's done.
pki-bot
commented
3 years ago Comment from ftweedal (@frasertweedale) at 2017-02-27 13:59:23
Metadata Update from @frasertweedale:
pki-bot
commented
3 years ago Comment from cheimes (@tiran) at 2019-04-17 02:31:13
The hard-coded value of RSA 2048 is becoming an issue for IPA. We just bumped up the default key size of the main CA to 3072. We also like to increase the key size of LWCAs.
I like to propose two changes:
1) Make key size and key type configurable. 2) Take the default settings from the main CA with RSA/2048 is lowest value. In case the main CA is RSA/3072, all LWCAs should use RSA/3072 automatically.
The second change is probably easier to implement and more critical for IPA.
pki-bot
commented
3 years ago Comment from cheimes (@tiran) at 2019-04-17 02:31:13
Metadata Update from @tiran:
pki-bot
commented
3 years ago Comment from ftweedal (@frasertweedale) at 2019-08-28 08:57:27
A change to generate the LWCA with same key size as main CA was merged.
Ticket remains open with same scope as before: making LWCA key type and size configurable.
This issue was migrated from Pagure Issue #1589. Originally filed by ftweedal (@frasertweedale) on 2015-08-27 07:40:55:
Sub-CA signing keys are currently hardcoded to rsa:2048. Add parameter(s) for specifying the key type and size / strength.