Certificate signing with an ePass2003

I have a fairly creative ssl setup on my webserver: I run my own ‘certificate authority’ which signs the server certificate; I have a bunch of alternative names specified; The CA certificate sits on an ePass 2003 PKI token. I’m writing down how I sign certificates in this context so I can use this to look up the procedure instead of spending hours in DuckDuckGo. This is more of a tutorial than elegant prose.

Time-invariant equality in assembly

For crypto code it's important that it's time-invariant, otherwise it is vulnerable to timing attacks. I've had to build this time-invariant equality test from scratch, because I couldn't find something on Google. I hope it's useful to someone else.

Users of PGP will be aware of the many keyservers around the web. has launched as an interesting alternative to the 'boring' and complicated keyservers. They provide an easy CLI client and web client (if you choose to share your private key - I didn't) for PGP crypto, where you don't need to know someone's key id - just their username on Twitter or GitHub.