[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] HKPS certificate
|
From: |
Jeremy T. Bouse |
|
Subject: |
Re: [Sks-devel] HKPS certificate |
|
Date: |
Thu, 11 Jun 2015 20:51:24 -0400 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 |
On 5/19/2015 3:31 AM, Kiss Gabor (Bitman) wrote:
>>> [alt_names] DNS.1 = hkps.pool.sks-keyservers.net DNS.2 =
>>> *.pool.sks-keyservers.net DNS.3 = pool.sks-keyservers.net DNS.4 =
>>> keys.niif.hu
>> This part is unnecessary, the SANs are added by me the input is
>> discarded when generating the certificate. So you can simplify this to
> Anyway the result is this:
>
> $ openssl x509 -in hkps.pool.sks-keyservers.net.crt -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 94 (0x5e)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=NO, ST=Oslo, O=sks-keyservers.net CA, CN=sks-keyservers.net
> CA
> Validity
> Not Before: May 16 11:26:58 2015 GMT
> Not After : May 15 11:26:58 2016 GMT
> Subject: C=HU, O=NIIF Institute, CN=keys.niif.hu
> [...]
> X509v3 Subject Alternative Name:
> DNS:hkps.pool.sks-keyservers.net,
> DNS:*.pool.sks-keyservers.net, DNS:pool.sks-keyservers.net, DNS:keys.niif.hu
> [...]
>
> Gabor
Generating a new CSR for my SKS cluster I just simply ran:
$ openssl req -nodes -new -newkey rsa:4096 -sha256 -keyout
sks.undergrid.net.key -out sks.undergrid.net.csr -subj
"/C=US/ST=Georgia/O=UnderGrid Network Services/CN=sks.undergrid.net"
I needed to generate a new CSR as my current certificate is expired and
I went ahead and generated a new key at the same time as some of my
other certificates I'm in the process of renewing needed new keys before
they would be able to be renewed so it was just easier to use the same
command.
Running my SKS cluster through Qualys SSL Labs testing I get an 'A'
rating when you ignore the trust issue because of the certs not being
signed by a known root CA.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Sks-devel] HKPS certificate,
Jeremy T. Bouse <=