Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1120681
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
User would like to install an IdM server instance with an external Root CA. This CA does not support CSRs with newer forms of encryption than SHA1. In freenode #freeipa, there was a suggestion to change the caintance.py adding a "-signing_algorithm", "SHA1withRSA" after the -key_algorithm.
This is just a workaround, we should allow specifying the CSR algorithm as ipa-server-install option.
Ade's suggestion:
Considering that I'm the one the made the suggestion on how to do the configuration (and it sounds like it all worked), I see no reason not to add this change. Keep in mind that what was provided here was a change for dogtag 9 (rhel 6). There are other specific overrides for pkispawn in dogtag 10. Specifically, [CA] pki_ca_signing_key_algorithm=SHA256withRSA
master:
ipa-4-1:
The option should be added to ipa-ca-install as well. Reopening the ticket.
Metadata Update from @mkosek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.