/ Register

Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL Own certificate and HTTP Public Key Pinning

Discussion in 'Domains, DNS, Email & SSL Certificates' started by ModeltogTossen, Mar 12, 2016.

Previous Thread Next Thread
Loading...
  1. Mar 12, 2016 #1
    ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:29 AM
    1.9.12
    10.0.23
    Hello sirs..

    Trying hard to get my head around some understanding of this HPKP stuff.

    When a site is created in CMM - it also gets HPKP generated commented out - like this:

    Code:
     
#add_header Public-Key-Pins 'pin-sha256="iAohr08REOhE8EBXYthVZyxrIE/yuZbTNz/8+c5JBeE="; pin-sha256="bgLN5U0V2ougSd/t2WghRaaU8Yx3xMTMxNOp0bHqHiI="; max-age=86400';
    My question is - If I replace the self-signed certificate with one from, lets say letsencrypt or Comodo, do I still use the auto-generated HPKP keys or do I need to generate another one and replace it? As now I think I need to replace it because that key is generated out of the self-signed crt, right?

    If I need to replaced it - what is the command to do so?

    Have found something like this but is that correct?

    Code:
    openssl x509 -pubkey < MyOwn.crt | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
    Hope for some feedback from anyone who have fiddle with that or can point me in some directions.

    Thanks in advance for participate.
     
  2. Mar 12, 2016 #2
    eva2000

    eva2000 Administrator Staff Member

    54,858
    12,239
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,810
    Local Time:
    12:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    needs replacing the HPKP keys completely - you can see see clues as to how nginx vhost generation on centmin.sh menu option 2 does it on lines 68-90 of inc/nginx_addvhost.inc
     
Previous Thread Next Thread
Loading...

.