So having acquired a whole bunch of peers for my keyserver I'm now thinking about adding hkps support and becoming part of hkps.pool.sks-servers.net. I've got a couple of queries though. 1.I'll probably want to share the port 443 with other sites. Can one assume that SNI is supported by hkps clients or is there another mechanism recommended for hkps sharing a port?
2.Presumably I need to create a CSR for hkps.pool.sks-servers.net rather than my own server name since that is what people will be trying to connect to. Is there any preference with regard to SubjectAltName vs CommonName or both? The modern practice seems to be to use SubjectAltName but backward compatibility seems to be an important part of the keyserver world. 3.Are there any conventions regarding what should go into other fields of the DN when creating one's CSR? 4.Assuming I want to turn on HSTS I presumably need to install and configure sslh to front port 443. Anything else that might catch me out? William
signature.asc
Description: Digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel