-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 31.07.2015 at 01:05, Mike Forbes wrote: > So now begins the task of trying to make HKPS and SSL and SKS all work > together. > > Currently we're serving up our main pgp pages with our own SSL cert > (https://pgp.net.nz) > > If we were to serve this using the HKPS cert I imagine it would throw > a certificate warning for most people who haven't imported the > hkps.pool.sks-keyservers.net CA. > > My question is, how have other people managed to get HKPS working > together with their own SSL certs? > > Our nginx config pushes all requests on port 80 to 443, then has a > location section for /pks that points to the locally running sks > daemon on 127.0.0.1:11371 > > I'd love to hear how others have managed this. > I haven't tried it, as I don't have any SKS cert. But an additional virtual nginx server using *hkps.pool.sks-keyservers.net* as *servername* on port 443 and the appropriate *ssl_certificate* and *ssl_certificate_key* should probably do it. Probably should be the default, so any client can use it, and browsers can get to the one with your own cert by SNI. Personally I use *Public-Key-Pins* and *Strict-Transport-Security* instead of HTTP redirects, as we are not really sure how the various pgp-clients handle the HTTP redirects. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJVvN6xXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNTEwNjBDN0RBNDY3QzM3OTVCQkREMUJG MDhEOUJERDEzMDg2MTEzAAoJEPCNm90TCGETr5EIAJz3CQxG/V+48JLgtlXqenRu xj3isl/oueYLkQKamECDZ6wd7/M2ODox2t8rbSY61M33yR/lWpe/Vjpr8CBPVL+e DFxfUAPyQYtpIpQLEi0YUEqMUQAutIkZViwTgoe787OmW/CKqBBU8H3CVUsCF4yb UHNexmPgcMfStJH60e1XrlRP4l3CMohWPwB7YFygbUa+R0XNGlW3Cmal24NUlsPP B18hP16IqxPCBuGxq3IwySBub/LU8ggypCCBCpi7WfWwBXBLl3DePoYFVqgtHo6e QVTUpm/gcwhbTIoY6Yj95pqm3iRJkz+wgrfv09wyu3vUFTe9ZC9CyiH642zGYRE= =UyBv -----END PGP SIGNATURE----- _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel