Automatic CA/Template selection based on csr key

[tmolbergen]

I was wondering if its possible to automaticly select which CA/Template should be used for signing a CSR based on the pubkey attribute avaliable in the CSR?

For example if a CSR has been created with an RSA key it should point to a CA where the CA key is also RSA and similar with EC keys?

Today we have configured specific profiles for each usecase but i suspect that the norm on the internet is that this should be handled automaticly by the acme server (ref LetsEncrypt and its ability to sign an EC csr with an EC ca)

[glatzert]

I think it would be possible to implement a template selection mechanism for such cases.
Would you think it should distinguish between RSA 2048, RSA 4096, EC (whatever curve) or only RSA vs EC?

[tmolbergen]

Hi,

In our case it would be nice to be able to differenciate between the various keysizes aswell

[glatzert]

okay, I'll draft the neccessary changes and will implement them within (probably first half of) march

[glatzert]

There's a beta of 3.1.0, which has not been run through my lab, but perhaps, you might want to chime in on the configuration changes.

[tmolbergen]

Without testing, i think the suggested configuration parameters looks exactly like what we need. I'll see if my colleague can give it a test in QA environment

[Borgquite]

Just been testing V3.1.0-beta6 for the ability to allow both RSA and ECDSA certificates, and it seemed to work fine here!