Forum

HPKP setup and how to test before deploying?

Mike
17 June 2017, 00:55
I did create three privkeys (pk1.key pk2.key pk3.key) and their CSRs (pk1.csr pk2.csr pk3.csr). I created a Hiawatha 'hpkp.keyfile' by using the CSRs with `cat pk1.csr pk2.csr pk3.csr > hpkp.keyfile` I suppose, that is what I have to do by reading the HPKP blog post.

1) Is using `cat pk1.csr pk2.csr pk3.csr > hpkp.file` for right?

2) How do I validate HPKP with 'PublicKeyPin'?

3) Can I test-run HPKP validation with "Public-Key-Pins-Report-Only" option as stated in section 2.1.1 of RFC7469 somehow?

4) Form the Hiawatha manual 'PublicKeyPin' setting I wonder If I need/can set "includeSubDomains" or "report-uri" header field value directives, too?

5) I assume, I can use a CustomHeader in case I need the other header fields, right?
CustomHeader = Public-Key-Pins: pin-sha256="MaS..."; pin-sha256="4EE..."; pin-sha256="P6I..."; max-age=15768000; includeSubDomains; 


Hugo Leisink
19 June 2017, 20:00
Add the complete path of hpkp.file as the parameter for PublicKeyPin:
  ...
PublicKeyPin = /path/to/hpkp.file
...


Yes, use the CustomHeader if you want to set specific parameters.
This topic has been closed.