Sub-CA signing keys are currently hardcoded to rsa:2048. Add parameter(s) for specifying the key type and size / strength.
Lightweight CA should be covered as a new feature on Idm side
Moving to 10.3.1.
Will probably make this ticket for RSA key size only and file a new ticket for EC support once that's done.
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: UNTRIAGED
The hard-coded value of RSA 2048 is becoming an issue for IPA. We just bumped up the default key size of the main CA to 3072. We also like to increase the key size of LWCAs.
I like to propose two changes:
1) Make key size and key type configurable. 2) Take the default settings from the main CA with RSA/2048 is lowest value. In case the main CA is RSA/3072, all LWCAs should use RSA/3072 automatically.
The second change is probably easier to implement and more critical for IPA.
Metadata Update from @cheimes: - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz reset (from 0) - Custom field version adjusted to None - Issue priority set to: critical (was: major)
A change to generate the LWCA with same key size as main CA was merged.
Ticket remains open with same scope as before: making LWCA key type and size configurable.
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2148
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.