#1589 Lightweight CAs: keygen parameters for CA creation
Closed: migrated a year ago by dmoluguw. Opened 6 years ago by ftweedal.

Sub-CA signing keys are currently hardcoded to rsa:2048. Add
parameter(s) for specifying the key type and size / strength.

Lightweight CA should be covered as a new feature on Idm side

Moving to 10.3.1.

Will probably make this ticket for RSA key size only and file a new ticket
for EC support once that's done.

Metadata Update from @ftweedal:
- Issue assigned to ftweedal
- Issue set to the milestone: UNTRIAGED

4 years ago

The hard-coded value of RSA 2048 is becoming an issue for IPA. We just bumped up the default key size of the main CA to 3072. We also like to increase the key size of LWCAs.

I like to propose two changes:

1) Make key size and key type configurable.
2) Take the default settings from the main CA with RSA/2048 is lowest value. In case the main CA is RSA/3072, all LWCAs should use RSA/3072 automatically.

The second change is probably easier to implement and more critical for IPA.

Metadata Update from @cheimes:
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field rhbz reset (from 0)
- Custom field version adjusted to None
- Issue priority set to: critical (was: major)

2 years ago

A change to generate the LWCA with same key size as main CA was merged.

  • master 0053a2c42d871c1b4fa0a15b27c05b55da45566f
  • v10.7 9fd384f2276c2df72ed97098746072526f874bd1

Ticket remains open with same scope as before: making LWCA key type and size configurable.

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.