On 5/19/2015 3:31 AM, Kiss Gabor (Bitman) wrote: >>> [alt_names] DNS.1 = hkps.pool.sks-keyservers.net DNS.2 = >>> *.pool.sks-keyservers.net DNS.3 = pool.sks-keyservers.net DNS.4 = >>> keys.niif.hu >> This part is unnecessary, the SANs are added by me the input is >> discarded when generating the certificate. So you can simplify this to > Anyway the result is this: > > $ openssl x509 -in hkps.pool.sks-keyservers.net.crt -noout -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 94 (0x5e) > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=NO, ST=Oslo, O=sks-keyservers.net CA, CN=sks-keyservers.net > CA > Validity > Not Before: May 16 11:26:58 2015 GMT > Not After : May 15 11:26:58 2016 GMT > Subject: C=HU, O=NIIF Institute, CN=keys.niif.hu > [...] > X509v3 Subject Alternative Name: > DNS:hkps.pool.sks-keyservers.net, > DNS:*.pool.sks-keyservers.net, DNS:pool.sks-keyservers.net, DNS:keys.niif.hu > [...] > > Gabor Generating a new CSR for my SKS cluster I just simply ran:
$ openssl req -nodes -new -newkey rsa:4096 -sha256 -keyout sks.undergrid.net.key -out sks.undergrid.net.csr -subj "/C=US/ST=Georgia/O=UnderGrid Network Services/CN=sks.undergrid.net" I needed to generate a new CSR as my current certificate is expired and I went ahead and generated a new key at the same time as some of my other certificates I'm in the process of renewing needed new keys before they would be able to be renewed so it was just easier to use the same command. Running my SKS cluster through Qualys SSL Labs testing I get an 'A' rating when you ignore the trust issue because of the certs not being signed by a known root CA. _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel