dkimpy

usage of selectors with dknewkey

Asked by Danie de Jager

When I usually create my dkim keys I use a selector tied to the key in format in the CN field using openssl.

openssl req -new -x509 -nodes -sha256 -days 730 -key domain.key -out domain.crt -subj "/C=ZA/ST=Johannesburg/L=Gauteng/O=Striata/OU=Messaging/CN=selector@domain_name"

does dknewkey create the key using the CN value I give it so I should create a dkim key for selector1._domainkey.domain.com and not directly for domain.com?

Question information

Language:
English Edit question
Status:
Solved
For:
dkimpy Edit question
Assignee:
No assignee Edit question
Solved by:
Scott Kitterman
Solved:
Last query:
Last reply:

This question was reopened

Revision history for this message
Danie de Jager (danie.dejager) said : 		#1

Seems that all this time I incorrectly thought that changing the cert's CN will also change the public key. If the private key stays the same the public key stays the same.

Revision history for this message
Danie de Jager (danie.dejager) said : 		#2

I've come to realise that our software uses the cert's CN to internally match a certificate to an Organisational Unit. Then the software knows which cert to use for which from address. Our software does ADSP signing so the From addresses matter.

Revision history for this message
Danie de Jager (danie.dejager) said : 		#3

I've come to realise that our software uses the cert's CN to internally match a certificate to an Organisational Unit. Then the software knows which cert to use for which from address. Our software does ADSP signing so the From addresses matter.

Revision history for this message
Best Scott Kitterman (kitterman) said : 		#4

Use of CN values isn't part of hte DKIM key format, so it's not supported. Once you need to move to the new Ed25519 keys, they aren't X.509 at all, so such an approach isn't even possible, so I'd encourage you to consider another way to solve your problem for the long run.

Revision history for this message
Danie de Jager (danie.dejager) said : 		#5

Thanks Scott Kitterman, that solved my question.