1

I have local keyserver that I can access using http://serveraddress:11371.

I want to enable TLS on that keyserver, how should I proceed?

Jens Erat
  • 1,400
  • 2
  • 11
  • 26
Iminder Singh
  • 13
  • 2
  • Could you [expand on your question](https://serverfault.com/help/how-to-ask) a bit to indicate what you have done, and where you are with your efforts? As it stands, it basically sounds like you could put nginx (or apache, or haproxy, or many others) in front of your keyserver and do TLS termination there. – iwaseatenbyagrue Apr 13 '17 at 16:12
  • Also see [the official tutorial - *TLS Configuration*](https://bitbucket.org/skskeyserver/sks-keyserver/wiki/TLS%20Configuration). – Franklin Yu Aug 16 '19 at 14:37

1 Answers1

0

You need to provide a reverse proxy which adds TLS, for example nginx or Apache. Furthermore, you need certificate(s):

  • if you want to participate in the hkps.pool.sks-keyservers.net keyserver pool have to send a certificate request to the pool operator:

    Keyserver operators wanting to be included in this pool will have to send an OpenPGP signed message containing a CSR to a UserID of 0x94CBAFDD30345109561835AA0B7F8B60E3EDFAE3.

    At least some time ago, there was a statement that Kristian Fiskerstrand (the pool operator) expects stable operations of the keyserver for some time before issuing certificates.

  • if you want to offer the key server under an arbitrary domain of yours, you have to get a certificate for that domain on your own.

HKPS is usually offered on port 443, and using SNI to distinguish between the domains (if offering services on both your own domain and the hkps pool) is fine.

Jens Erat
  • 1,400
  • 2
  • 11
  • 26