chiark / gitweb /
Add some useful-looking TLSA records to hedge against CA uselessness.
authorMark Wooding <mdw@distorted.org.uk>
Mon, 22 Dec 2014 18:21:13 +0000 (18:21 +0000)
committerMark Wooding <mdw@distorted.org.uk>
Tue, 23 Dec 2014 01:31:18 +0000 (01:31 +0000)
Also to help convince outsiders about our own CA.

certs/distorted-ca.cert [new file with mode: 0644]
certs/http-server-www#1.cert [new file with mode: 0644]
distorted.lisp

diff --git a/certs/distorted-ca.cert b/certs/distorted-ca.cert
new file mode 100644 (file)
index 0000000..4aff3dd
--- /dev/null
@@ -0,0 +1,110 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 16570956933538312940 (0xe5f7dd88cbd8f2ec)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Cambridgeshire, L=Cambridge, O=distorted.org.uk, CN=distorted.org.uk Certificate Authority/emailAddress=ca@distorted.org.uk
+        Validity
+            Not Before: Dec  1 14:27:13 2012 GMT
+            Not After : Nov 29 14:27:13 2022 GMT
+        Subject: C=GB, ST=Cambridgeshire, L=Cambridge, O=distorted.org.uk, CN=distorted.org.uk Certificate Authority/emailAddress=ca@distorted.org.uk
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (3072 bit)
+                Modulus:
+                    00:ba:88:24:78:37:a2:42:8b:1a:03:88:28:46:d8:
+                    dc:ad:3a:20:ba:2e:d0:fd:3b:b1:09:64:4a:63:35:
+                    cb:ff:ab:c4:b3:31:19:80:00:ca:67:b8:90:86:3d:
+                    fd:2c:72:c4:31:40:99:00:e8:cf:4e:72:54:9a:6e:
+                    b1:11:ed:0b:c5:de:9d:88:f2:03:93:f1:ee:3a:d9:
+                    56:4e:cb:c7:5c:2e:c3:41:e4:d8:d3:a9:cd:54:b1:
+                    43:e4:4f:24:f4:1c:d6:3d:11:f1:12:b4:a5:89:4a:
+                    d5:8e:99:6c:ef:85:ca:64:23:07:3b:f6:91:fa:86:
+                    e9:db:55:5f:8d:2c:5f:8b:dd:0e:02:49:59:4a:31:
+                    b9:57:6a:97:f9:50:e4:5a:f6:df:20:53:4f:53:bb:
+                    01:08:f6:2c:59:08:db:6b:ee:b9:e2:ef:db:f6:35:
+                    24:12:29:e7:10:49:52:80:8e:9f:d3:16:96:94:ae:
+                    68:bc:40:c9:a7:9a:08:9c:7e:4f:d0:c1:ae:45:b0:
+                    8a:da:a6:60:5d:29:06:8f:a3:af:ed:72:1a:ef:c6:
+                    cf:bf:2b:3f:c0:2f:26:30:85:63:04:4b:61:8c:20:
+                    da:0a:f9:c1:4a:10:66:bf:ab:fe:ef:41:55:d3:c9:
+                    ab:29:a9:03:94:f0:13:08:a2:14:f3:e8:50:c4:01:
+                    31:41:61:06:e9:14:13:3b:52:bb:01:ef:09:40:4f:
+                    27:78:7b:6e:13:61:6c:24:ce:bf:60:c0:06:eb:87:
+                    31:ac:00:b0:f1:0a:5c:3b:72:92:3a:3c:ee:8a:69:
+                    22:25:af:87:21:5e:47:98:62:86:0e:2b:72:87:ad:
+                    7d:a9:79:5f:80:3b:52:1c:f8:9b:09:72:ce:9a:e9:
+                    d2:07:3e:1e:58:d9:1c:5b:3f:e3:cc:4e:ef:9d:54:
+                    45:91:83:6a:99:92:9a:42:b1:54:ff:67:9d:fc:49:
+                    02:9f:b0:cd:7d:3a:d1:8f:5b:d3:69:dd:ba:eb:08:
+                    c6:7e:4a:80:58:d6:0f:10:c5:3f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign
+            X509v3 Subject Key Identifier: 
+                73:9C:A1:60:E2:B2:1B:D0:F2:10:33:C1:11:97:73:9A:6E:5B:AB:CA
+            X509v3 Subject Alternative Name: 
+                email:ca@distorted.org.uk
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://www.distorted.org.uk/ca/crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+         6b:1f:b0:49:bc:07:25:8a:75:47:03:b4:85:47:c8:b6:9b:93:
+         6b:7c:aa:c9:15:74:eb:d2:81:57:10:e2:6c:b6:42:4a:4b:18:
+         11:80:04:1b:1e:67:63:41:70:a1:b3:2a:6c:e6:82:77:9d:a4:
+         83:9e:f0:e4:c7:0e:56:0f:f1:1e:61:ff:a3:27:f1:4b:aa:9a:
+         fd:27:a7:ba:13:f9:9a:b6:b8:e6:6d:78:fc:2b:21:5f:62:b7:
+         73:3a:38:94:30:4e:80:b7:1f:84:dc:1a:68:da:fa:99:19:08:
+         c3:e0:7f:d2:08:8b:25:c1:69:e5:d5:24:5e:33:4c:5c:cc:d2:
+         a7:27:2b:01:da:3c:50:c3:58:64:73:f7:7f:88:12:b5:6e:41:
+         eb:07:8e:c5:79:e7:3d:e1:da:e6:9b:3c:c8:c4:b9:92:71:a1:
+         5d:01:95:4e:92:9e:e5:7f:ed:71:e4:27:3e:97:10:de:5d:1a:
+         a1:37:a3:1f:f0:fe:09:fe:ce:72:e7:f5:a0:5c:54:19:6f:f7:
+         62:a8:c8:66:09:77:6c:d8:73:d9:1d:c0:cd:65:c9:bd:27:9a:
+         8a:10:dc:0b:1e:08:ec:39:99:50:89:2f:bc:ca:a2:13:55:c6:
+         7f:2c:96:f1:2b:46:cf:9c:70:31:9d:7f:11:72:18:67:5d:a7:
+         c9:03:a7:1f:6b:cc:ac:a3:ae:e2:2e:01:bd:7f:a3:8d:ca:aa:
+         20:72:9c:81:84:5b:34:c5:93:1a:bd:e7:52:4f:00:9a:dd:c3:
+         af:0a:a1:e4:64:aa:d9:62:80:ce:b9:c8:57:38:03:54:d0:e1:
+         ae:0c:a9:09:da:44:88:32:58:0d:58:1f:6d:f5:c8:9b:65:fe:
+         02:57:44:ea:e1:ae:42:5f:63:24:b6:f2:99:d8:e0:3d:35:6c:
+         64:da:f7:7f:1c:f7:31:96:a4:38:93:ca:10:bc:e6:bf:d8:92:
+         ae:bc:e2:c1:df:57:45:6b:71:7b:d0:ea:43:8e:c7:87:61:77:
+         16:17:10:01:ef:6b
+-----BEGIN CERTIFICATE-----
+MIIFcjCCA9qgAwIBAgIJAOX33YjL2PLsMA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD
+VQQGEwJHQjEXMBUGA1UECBMOQ2FtYnJpZGdlc2hpcmUxEjAQBgNVBAcTCUNhbWJy
+aWRnZTEZMBcGA1UEChMQZGlzdG9ydGVkLm9yZy51azEvMC0GA1UEAxMmZGlzdG9y
+dGVkLm9yZy51ayBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIjAgBgkqhkiG9w0BCQEW
+E2NhQGRpc3RvcnRlZC5vcmcudWswHhcNMTIxMjAxMTQyNzEzWhcNMjIxMTI5MTQy
+NzEzWjCBqjELMAkGA1UEBhMCR0IxFzAVBgNVBAgTDkNhbWJyaWRnZXNoaXJlMRIw
+EAYDVQQHEwlDYW1icmlkZ2UxGTAXBgNVBAoTEGRpc3RvcnRlZC5vcmcudWsxLzAt
+BgNVBAMTJmRpc3RvcnRlZC5vcmcudWsgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSIw
+IAYJKoZIhvcNAQkBFhNjYUBkaXN0b3J0ZWQub3JnLnVrMIIBojANBgkqhkiG9w0B
+AQEFAAOCAY8AMIIBigKCAYEAuogkeDeiQosaA4goRtjcrTogui7Q/TuxCWRKYzXL
+/6vEszEZgADKZ7iQhj39LHLEMUCZAOjPTnJUmm6xEe0Lxd6diPIDk/HuOtlWTsvH
+XC7DQeTY06nNVLFD5E8k9BzWPRHxErSliUrVjpls74XKZCMHO/aR+obp21VfjSxf
+i90OAklZSjG5V2qX+VDkWvbfIFNPU7sBCPYsWQjba+654u/b9jUkEinnEElSgI6f
+0xaWlK5ovEDJp5oInH5P0MGuRbCK2qZgXSkGj6Ov7XIa78bPvys/wC8mMIVjBEth
+jCDaCvnBShBmv6v+70FV08mrKakDlPATCKIU8+hQxAExQWEG6RQTO1K7Ae8JQE8n
+eHtuE2FsJM6/YMAG64cxrACw8QpcO3KSOjzuimkiJa+HIV5HmGKGDityh619qXlf
+gDtSHPibCXLOmunSBz4eWNkcWz/jzE7vnVRFkYNqmZKaQrFU/2ed/EkCn7DNfTrR
+j1vTad266wjGfkqAWNYPEMU/AgMBAAGjgZgwgZUwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFHOcoWDishvQ8hAzwRGXc5puW6vKMB4G
+A1UdEQQXMBWBE2NhQGRpc3RvcnRlZC5vcmcudWswMwYDVR0fBCwwKjAooCagJIYi
+aHR0cDovL3d3dy5kaXN0b3J0ZWQub3JnLnVrL2NhL2NybDANBgkqhkiG9w0BAQsF
+AAOCAYEAax+wSbwHJYp1RwO0hUfItpuTa3yqyRV069KBVxDibLZCSksYEYAEGx5n
+Y0FwobMqbOaCd52kg57w5McOVg/xHmH/oyfxS6qa/SenuhP5mra45m14/CshX2K3
+czo4lDBOgLcfhNwaaNr6mRkIw+B/0giLJcFp5dUkXjNMXMzSpycrAdo8UMNYZHP3
+f4gStW5B6weOxXnnPeHa5ps8yMS5knGhXQGVTpKe5X/tceQnPpcQ3l0aoTejH/D+
+Cf7Ocuf1oFxUGW/3YqjIZgl3bNhz2R3AzWXJvSeaihDcCx4I7DmZUIkvvMqiE1XG
+fyyW8StGz5xwMZ1/EXIYZ12nyQOnH2vMrKOu4i4BvX+jjcqqIHKcgYRbNMWTGr3n
+Uk8Amt3Drwqh5GSq2WKAzrnIVzgDVNDhrgypCdpEiDJYDVgfbfXIm2X+AldE6uGu
+Ql9jJLbymdjgPTVsZNr3fxz3MZakOJPKELzmv9iSrrziwd9XRWtxe9DqQ47Hh2F3
+FhcQAe9r
+-----END CERTIFICATE-----
diff --git a/certs/http-server-www#1.cert b/certs/http-server-www#1.cert
new file mode 100644 (file)
index 0000000..29a6326
--- /dev/null
@@ -0,0 +1,130 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1387014 (0x152a06)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
+        Validity
+            Not Before: Dec 20 04:07:45 2014 GMT
+            Not After : Dec 21 00:30:39 2015 GMT
+        Subject: C=GB, CN=www.distorted.org.uk/emailAddress=webmaster@distorted.org.uk
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (3072 bit)
+                Modulus:
+                    00:9f:62:f3:4c:fa:9a:4c:62:c8:31:c3:54:6f:b5:
+                    7b:9e:cc:9c:e0:d8:fd:4e:b6:6c:97:d0:28:c4:1e:
+                    09:07:07:e2:85:42:ad:d5:49:2d:94:06:55:9e:99:
+                    0c:c8:f7:0b:6a:72:ad:5d:2c:66:cc:df:84:ea:88:
+                    46:43:a9:39:42:d7:d4:09:3f:1b:26:39:c6:69:71:
+                    ae:f2:02:98:db:79:13:b4:d3:26:60:8b:c5:eb:fb:
+                    c7:51:84:3a:64:0b:e3:02:e9:13:8e:fa:a6:b7:cb:
+                    66:49:55:9e:e3:cb:9a:a4:ed:0c:3a:4b:c1:e0:de:
+                    e8:03:29:88:8d:b6:43:bd:c5:e6:a0:c6:04:78:1d:
+                    6f:65:48:8f:7d:13:e9:3e:ae:b2:03:df:43:57:19:
+                    f9:8f:85:15:dc:4f:78:3b:65:5b:90:46:28:5f:32:
+                    4c:5b:8c:29:69:73:ba:fc:00:25:5c:2b:7a:2d:26:
+                    d1:ad:7b:28:07:21:db:27:ea:b3:81:7b:25:a5:e4:
+                    cc:ec:d6:85:88:63:c3:29:7e:10:e6:3c:cb:2a:1d:
+                    77:72:c0:bb:34:b8:c9:62:3e:bf:d8:f5:e6:d8:d5:
+                    73:df:5b:1e:90:f4:aa:51:d0:7f:f3:16:03:43:31:
+                    d5:4b:1e:91:1e:92:0f:e9:dc:95:36:9a:0e:80:60:
+                    d3:98:c7:62:fb:af:76:87:e7:9b:0f:7e:1d:be:dc:
+                    22:1a:46:ff:b7:5b:39:01:79:cd:3a:ef:25:16:3c:
+                    86:6a:e1:1e:f4:e8:cb:0b:ff:cd:4c:66:dc:36:50:
+                    77:9d:1a:35:77:5a:85:89:b0:ea:fb:43:0f:7f:19:
+                    7f:d8:dd:6a:cd:a3:c3:85:12:3e:e3:39:5b:89:ec:
+                    fc:78:df:39:2e:ae:94:7e:1a:ac:62:0c:dc:5a:fc:
+                    09:b6:9f:82:4d:2c:ad:f3:2b:68:44:22:da:42:ca:
+                    85:d6:9c:46:e5:37:cc:7d:65:c5:62:e3:d8:e5:58:
+                    28:01:18:1b:27:40:d6:d5:dd:e5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Subject Key Identifier: 
+                A9:DF:AD:DC:D2:3B:DD:6A:E6:AF:CC:B1:28:60:3A:5F:5E:29:D0:85
+            X509v3 Authority Key Identifier: 
+                keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45
+
+            X509v3 Subject Alternative Name: 
+                DNS:www.distorted.org.uk, DNS:distorted.org.uk
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.1
+                Policy: 1.3.6.1.4.1.23223.1.2.3
+                  CPS: http://www.startssl.com/policy.pdf
+                  User Notice:
+                    Organization: StartCom Certification Authority
+                    Number: 1
+                    Explicit Text: This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://crl.startssl.com/crt1-crl.crl
+
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
+                CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt
+
+            X509v3 Issuer Alternative Name: 
+                URI:http://www.startssl.com/
+    Signature Algorithm: sha256WithRSAEncryption
+         a7:cc:45:92:89:84:06:e0:39:20:4e:37:58:f2:02:e3:6c:c9:
+         43:c6:d9:06:68:ea:fe:40:e3:d8:b3:a2:3c:63:8a:03:86:76:
+         83:83:38:2b:ea:9d:14:f9:2a:89:8d:0c:31:d4:83:f5:ac:5c:
+         fc:fc:2b:ac:f7:a8:7c:2f:b9:1b:2d:7d:8d:dd:ea:45:89:d5:
+         3a:24:f1:9b:1e:9c:ef:25:4c:6c:77:37:4f:48:d3:79:1c:fe:
+         ef:a5:29:8c:3e:f1:42:be:83:50:6a:73:c2:46:4e:5c:a7:5a:
+         fc:0f:73:1e:c8:fd:e6:a9:45:5a:61:d4:5b:35:06:6a:60:b3:
+         79:77:e3:8a:bd:12:d7:47:cd:cc:7d:2f:f2:cc:9c:c5:fe:97:
+         98:72:6f:1a:c1:9e:5e:57:99:a6:93:b0:9a:bd:4c:f6:14:e3:
+         c7:16:9a:28:2b:b2:36:5e:b7:1c:8e:d3:bf:97:ed:07:11:1d:
+         6d:d4:51:e4:90:e1:18:b2:7a:15:d5:ec:bf:1b:b5:3c:8d:a5:
+         69:28:da:cb:47:a9:68:be:eb:0e:3b:58:49:c1:9d:5c:8d:c6:
+         c6:e1:2a:28:c1:f0:66:e9:c4:e9:7f:50:3e:f3:d8:ad:47:39:
+         cf:f9:65:ee:d8:e4:61:b2:48:db:c0:92:1b:bb:1d:55:6d:c4:
+         5d:52:7c:0c
+-----BEGIN CERTIFICATE-----
+MIIGzjCCBbagAwIBAgIDFSoGMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ
+TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
+YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
+MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQxMjIwMDQwNzQ1
+WhcNMTUxMjIxMDAzMDM5WjBXMQswCQYDVQQGEwJHQjEdMBsGA1UEAxMUd3d3LmRp
+c3RvcnRlZC5vcmcudWsxKTAnBgkqhkiG9w0BCQEWGndlYm1hc3RlckBkaXN0b3J0
+ZWQub3JnLnVrMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAn2LzTPqa
+TGLIMcNUb7V7nsyc4Nj9TrZsl9AoxB4JBwfihUKt1UktlAZVnpkMyPcLanKtXSxm
+zN+E6ohGQ6k5QtfUCT8bJjnGaXGu8gKY23kTtNMmYIvF6/vHUYQ6ZAvjAukTjvqm
+t8tmSVWe48uapO0MOkvB4N7oAymIjbZDvcXmoMYEeB1vZUiPfRPpPq6yA99DVxn5
+j4UV3E94O2VbkEYoXzJMW4wpaXO6/AAlXCt6LSbRrXsoByHbJ+qzgXslpeTM7NaF
+iGPDKX4Q5jzLKh13csC7NLjJYj6/2PXm2NVz31sekPSqUdB/8xYDQzHVSx6RHpIP
+6dyVNpoOgGDTmMdi+692h+ebD34dvtwiGkb/t1s5AXnNOu8lFjyGauEe9OjLC//N
+TGbcNlB3nRo1d1qFibDq+0MPfxl/2N1qzaPDhRI+4zlbiez8eN85Lq6UfhqsYgzc
+WvwJtp+CTSyt8ytoRCLaQsqF1pxG5TfMfWXFYuPY5VgoARgbJ0DW1d3lAgMBAAGj
+ggLrMIIC5zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDATBgNVHSUEDDAKBggrBgEF
+BQcDATAdBgNVHQ4EFgQUqd+t3NI73Wrmr8yxKGA6X14p0IUwHwYDVR0jBBgwFoAU
+60I00Jiwq5/0G2sI98xkLu8OLEUwMQYDVR0RBCowKIIUd3d3LmRpc3RvcnRlZC5v
+cmcudWuCEGRpc3RvcnRlZC5vcmcudWswggFWBgNVHSAEggFNMIIBSTAIBgZngQwB
+AgEwggE7BgsrBgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cu
+c3RhcnRzc2wuY29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0
+Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmlj
+YXRlIHdhcyBpc3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRp
+b24gcmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlh
+bmNlIG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ug
+b2YgdGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAo
+oCaGJGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYB
+BQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29t
+L3N1Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0
+YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0S
+BBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBCwUAA4IB
+AQCnzEWSiYQG4DkgTjdY8gLjbMlDxtkGaOr+QOPYs6I8Y4oDhnaDgzgr6p0U+SqJ
+jQwx1IP1rFz8/Cus96h8L7kbLX2N3epFidU6JPGbHpzvJUxsdzdPSNN5HP7vpSmM
+PvFCvoNQanPCRk5cp1r8D3MeyP3mqUVaYdRbNQZqYLN5d+OKvRLXR83MfS/yzJzF
+/peYcm8awZ5eV5mmk7CavUz2FOPHFpooK7I2XrccjtO/l+0HER1t1FHkkOEYsnoV
+1ey/G7U8jaVpKNrLR6lovusOO1hJwZ1cjcbG4SoowfBm6cTpf1A+89itRznP+WXu
+2ORhskjbwJIbux1VbcRdUnwM
+-----END CERTIFICATE-----
index 73fd09d..5dde19a 100644 (file)
@@ -138,6 +138,18 @@ (defzone distorted.org.uk
             (jump :svc jazz.jump :sshfp "jazz"))
   ((git www mail) (colo :svc stratocaster.colo :sshfp "stratocaster")
                  (jump :svc stratocaster.jump :sshfp "stratocaster"))
+  ((www @) :tlsa (:https (:service-certificate-constraint
+                         :certificate :sha-256
+                         #p"certs/http-server-www#1.cert")))
+  (git :tlsa (:https (:trust-anchor-assertion
+                     :certificate :sha-256
+                     #p"certs/distorted-ca.cert")))
+  (www-cache :tlsa (3127 (:trust-anchor-assertion
+                         :certificate :sha-256
+                         #p"certs/distorted-ca.cert")))
+  (mail :tlsa ((:smtp :submission :imap) (:trust-anchor-assertion
+                                         :certificate :sha-256
+                                         #p"certs/distorted-ca.cert")))
   :svc #+view/inside stratocaster.colo
        #-view/inside stratocaster.jump
   (cabal :svc stratocaster.colo :sshfp "stratocaster")