[Ach] Recommendations creating CSRs

Hanno Böck hanno at hboeck.de
Tue Oct 14 23:27:19 CEST 2014

Am Tue, 14 Oct 2014 22:12:06 +0200
schrieb "A. Schulze" <sca at andreasschulze.de>:

> your script generate a header containing two pin-sha256 values.
> It suggest to take a cert and a key file for computation.

No, you interpret that wrong.

The point is: You can pass the key in different forms. The cert, the
private key or a csr. All contain the public key in some way. My script
accepts all of them.

If you pass key and the corresponding cert it generates two identical
pins, however that doesn't make any sense.

> I read the draft and as far as I understand the intention is to
> provide a current pin and a backup pin. right?

Yes. So what you'd ideally do is create a cert and a backup key you
store somewhere to use for your next cert once your current one
expires. Then you create pins for your current cert/key and your backup

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20141014/1971f403/attachment.sig>

More information about the Ach mailing list