I have mentioned it before (my blog) and since chrome (the web browser not a metal alloy) eventually gave up on this cryptographic hash to verify sites** i decided to have one last go.
I read online that
openssl ecparam -genkey -name secp384r1 > ec.key openssl ec -in ec.key -pubout | openssl ec -pubin -outform der | openssl dgst -sha256 -binary | base64
Got a backup key or something
That looks like this – note not run on a real certificate
read EC key
writing EC key
read EC key
writing EC key
# cat server.key
—–BEGIN EC PARAMETERS—–
—–END EC PARAMETERS—–
—–BEGIN EC PRIVATE KEY—–
4Ej/s4iCfUWgBwYFK4EEACKhZBananas – in – the – Falklands -M4szuJE0DDh/pLBmob
—–END EC PRIVATE KEY—–
So it appears to add sections EC PARAMETERS & EC PRIVATE KEY to a file
The magic of openssl is beyond most so i went looking for a hpkp generator which appeared to work although despite not doing ec private keys also got me a backup pin hash.
I still had no idea how i could generate a backup cert from those keys – still think money would need to change hands with the ssl mafia.
Since i had a commented un-working hpkp block with /” syntax a rather nasty line of config speak compared with most already i copied it and used the hashes from that generator and tested it twice both sites agreed hpkp was there and valid.
But i was unable to reproduce how the backup key was made. It felt easier than before with less effort but i still felt i have no feel for hpkp
I did not add it to the other zoo domains for reasons of being an unknown quantity i would guess if you asked your tls provider does it generate backup keys – your be told to buy the most expensive ssl they have and be done with you.. It appears that encryption files get some extra section but how it works beyond that is beyond me and the ssl supplier
I prefer tlsa hashes (my blog) rather than magicall stuff that very few seem to get.
If your more illuminated than you where well done, but it still makes it useless.
I also had replace tls and i decided to break hpkp
I discovered that i had no access from firefox or chrome
In firefox to disable hpkp find SiteSecurityServiceState.txt in the profile directory and
search for the domain name and delete them. Restart and you will gain an uncle Bob.
Chrome is also intentionally screwed up but since i do not use chrome its not an issue, Reseting chrome clears the issue – however if i can find and edit / delete to defaults my hpkp settings i am sure malware / ransomware bot could as well. I conclude that hpkp is useless
Tomorrow cute kitten pictures*
*i joke ** still requires tls certs from a ‘trusted’ ssl source of which most require money.