Allow to define the default algorithm before initialization

[MacWeber]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Currently, it is not possible to define the default algorithm before running step ca init. Then, there is a manual process involved for replacing the keys, in case the user decides to use a different key-pair type. See this discussion.

Due to technical/security/personal reasons some users may decide to not use the default curve (P-256). Then, having the option to restrict the use of some algorithms, or at least having the option to initialize the PKI with a different configuration out of the box would save time and avoid configuration errors that may happen during the current manual process.

One idea would be using a configuration file that would be read by the initialization script, so other initialization options could be added too. Another idea is to pass this option as a flag to the command step ca init.

Why is this needed?

This will allow users to avoid the manual steps that are necessary today to re-key the PKI, if they want to use a different key type than the one hard-coded on initialization.

[dopey]

Hey @MacWeber 👋 . Thanks for opening the issue!

We agree that this would be quite useful! We've added it to the milestone for our next minor version release. I can't promise that we'll be able to get it in, but we'll at least discuss and update the issue if we need to push it back.

Also, we're definitely happy to accept PRs from the community from anyone looking to get their hands dirty.

[MacWeber]

That's really good news! Thanks for the feedback, @dopey! I'm no a Go programmer, but I will be happy to help with anything I can.