[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] HKPS certificate
From: |
Gabor Kiss |
Subject: |
Re: [Sks-devel] HKPS certificate |
Date: |
Tue, 19 May 2015 07:49:11 +0200 (CEST) |
User-agent: |
Alpine 2.02 (DEB 1266 2009-07-14) |
> I am wondering if I can still get a certificate for keys.techwolf12.nl,
> my server has been stable for over 3 months now and I would like to add
> an extra layer of security.
> Does anyone know how to get an certificate?
I tell you how did I some two weaks ago.
I tailored a tipical openssl.cnf file. I added this section:
[alt_names]
DNS.1 = hkps.pool.sks-keyservers.net
DNS.2 = *.pool.sks-keyservers.net
DNS.3 = pool.sks-keyservers.net
DNS.4 = keys.niif.hu
Also section v3_req looks like this:
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
Then I created a CSR. This is the result:
$ openssl req -in hkps.pool.sks-keyservers.net.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=HU, O=NIIF Institute, CN=keys.niif.hu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e2:a7:2a:b5:17:d4:4d:74:53:06:5f:ad:7d:0b:
[...]
44:4f
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:hkps.pool.sks-keyservers.net,
DNS:*.pool.sks-keyservers.net, DNS:pool.sks-keyservers.net, DNS:keys.niif.hu
Signature Algorithm: sha256WithRSAEncryption
82:c9:1d:42:61:0d:34:a9:bf:fe:5f:17:29:9c:49:93:b2:80:
[...]
This is I sent to Kristian.
Note: I'm not an X.509 expert. I suspect the above scheme might be
simpler a bit. However it works and I don't want spend a lot of time
with research. If list members have any suggestion it may be incorporated
in the next year CSR. :-)
Regards
Gabor