On 10/08/2012 11:05 PM, Stephan Seitz wrote: > ..
> Hi guys, Hi Stephan, > > sorry for asking dumb questions, but this is something far beyond my > daily business ;) > > I recently created a key /csr for keyserver.secretresearchfacility.com . > It's signed by a CA, so I currently do have a valid crt. > > As I read your posts, I guess I should create a new csr for that key > like: > > subjectAltName = @alt_names > > [alt_names] > DNS.1 = keyserver.secretresearchfacility.com > DNS.2 = hkps.pool.sks-keyservers.net You don't need this part in the CSR, I ignore the subjectAltNames given in the request and add it myself. > and glue the results (my key, the two crt's and the intermediate(s)) > together? > > I don't believe this will work ;) > Neither do I :) > > Another approach could be SNI, couldn't it? > Yup > I already use namebased vhosts (thank's for your explanation of TLS, > phil), so I could configure two proxies which are identical despite the > hostname and the certificates. That way, I would use two different > keys / crts without the need for subjectAltName. > Again, yup -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- "Great things are not accomplished by those who yield to trends and fads and popular opinion." (Jack Kerouac) ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/sks-devel
