Re: [Sks-devel] HKPS certificate

[Gabor Kiss]

> I am wondering if I can still get a certificate for keys.techwolf12.nl,
> my server has been stable for over 3 months now and I would like to add
> an extra layer of security.

> Does anyone know how to get an certificate?

I tell you how did I some two weaks ago.

I tailored a tipical openssl.cnf file. I added this section:

[alt_names]
DNS.1 = hkps.pool.sks-keyservers.net
DNS.2 = *.pool.sks-keyservers.net
DNS.3 = pool.sks-keyservers.net
DNS.4 = keys.niif.hu

Also section v3_req looks like this:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names


Then I created a CSR. This is the result:

$ openssl req -in hkps.pool.sks-keyservers.net.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=HU, O=NIIF Institute, CN=keys.niif.hu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e2:a7:2a:b5:17:d4:4d:74:53:06:5f:ad:7d:0b:
[...]
                    44:4f
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:hkps.pool.sks-keyservers.net, 
DNS:*.pool.sks-keyservers.net, DNS:pool.sks-keyservers.net, DNS:keys.niif.hu
    Signature Algorithm: sha256WithRSAEncryption
         82:c9:1d:42:61:0d:34:a9:bf:fe:5f:17:29:9c:49:93:b2:80:
[...]

This is I sent to Kristian. 

Note: I'm not an X.509 expert. I suspect the above scheme might be
simpler a bit. However it works and I don't want spend a lot of time
with research. If list members have any suggestion it may be incorporated
in the next year CSR. :-)

Regards

Gabor