Join the community today
Register Now

SSL Own certificate and HTTP Public Key Pinning

Discussion in 'Domains, DNS, Email & SSL Certificates' started by ModeltogTossen, Mar 12, 2016.

  1. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:43 PM
    1.9.12
    10.0.23
    Hello sirs..

    Trying hard to get my head around some understanding of this HPKP stuff.

    When a site is created in CMM - it also gets HPKP generated commented out - like this:

    Code:
     
    #add_header Public-Key-Pins 'pin-sha256="iAohr08REOhE8EBXYthVZyxrIE/yuZbTNz/8+c5JBeE="; pin-sha256="bgLN5U0V2ougSd/t2WghRaaU8Yx3xMTMxNOp0bHqHiI="; max-age=86400';
    
    My question is - If I replace the self-signed certificate with one from, lets say letsencrypt or Comodo, do I still use the auto-generated HPKP keys or do I need to generate another one and replace it? As now I think I need to replace it because that key is generated out of the self-signed crt, right?

    If I need to replaced it - what is the command to do so?

    Have found something like this but is that correct?

    Code:
    openssl x509 -pubkey < MyOwn.crt | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
    Hope for some feedback from anyone who have fiddle with that or can point me in some directions.

    Thanks in advance for participate.
     
  2. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:43 PM
    Nginx 1.13.x
    MariaDB 5.5
    needs replacing the HPKP keys completely - you can see see clues as to how nginx vhost generation on centmin.sh menu option 2 does it on lines 68-90 of inc/nginx_addvhost.inc
     
    • Useful Useful x 1