Forum
HPKP setup and how to test before deploying?
Mike
17 June 2017, 00:55
I did create three privkeys (pk1.key pk2.key pk3.key) and their CSRs (pk1.csr pk2.csr pk3.csr). I created a Hiawatha 'hpkp.keyfile' by using the CSRs with `cat pk1.csr pk2.csr pk3.csr > hpkp.keyfile` I suppose, that is what I have to do by reading the HPKP blog post.
1) Is using `cat pk1.csr pk2.csr pk3.csr > hpkp.file` for right?
2) How do I validate HPKP with 'PublicKeyPin'?
3) Can I test-run HPKP validation with "Public-Key-Pins-Report-Only" option as stated in section 2.1.1 of RFC7469 somehow?
4) Form the Hiawatha manual 'PublicKeyPin' setting I wonder If I need/can set "includeSubDomains" or "report-uri" header field value directives, too?
5) I assume, I can use a CustomHeader in case I need the other header fields, right?
1) Is using `cat pk1.csr pk2.csr pk3.csr > hpkp.file` for right?
2) How do I validate HPKP with 'PublicKeyPin'?
3) Can I test-run HPKP validation with "Public-Key-Pins-Report-Only" option as stated in section 2.1.1 of RFC7469 somehow?
4) Form the Hiawatha manual 'PublicKeyPin' setting I wonder If I need/can set "includeSubDomains" or "report-uri" header field value directives, too?
5) I assume, I can use a CustomHeader in case I need the other header fields, right?
CustomHeader = Public-Key-Pins: pin-sha256="MaS..."; pin-sha256="4EE..."; pin-sha256="P6I..."; max-age=15768000; includeSubDomains;
Hugo Leisink
19 June 2017, 20:00
Add the complete path of hpkp.file as the parameter for PublicKeyPin:
Yes, use the CustomHeader if you want to set specific parameters.
...
PublicKeyPin = /path/to/hpkp.file
...
Yes, use the CustomHeader if you want to set specific parameters.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
