Updates to README to reflect changes, misc. whitespace fixes.
This commit is contained in:
Alex Bramley
parent
3886d28224
commit
c6a5ba2704
45
README.md
45
README.md
|
|
@ -83,19 +83,21 @@ for authenticating a client to these services; and *user* certificates for
|
||||||
authentication, S/MIME e-mail signing or encryption, and code signing. There
|
authentication, S/MIME e-mail signing or encryption, and code signing. There
|
||||||
are minor but important differences in the key usage extensions present in
|
are minor but important differences in the key usage extensions present in
|
||||||
these different certificate types, details can be found in the documentation
|
these different certificate types, details can be found in the documentation
|
||||||
for **ca-create-cert**(1).
|
for **ca-create-cert**(1). In each case, a Common Name must be provided to give
|
||||||
|
a unique name for the certificate.
|
||||||
|
|
||||||
**ca-create-cert**(1) takes a number of options to customise the generated
|
**ca-create-cert**(1) takes a number of options to customise the generated
|
||||||
certificate. The *--type* option is mandatory, and for *server* certs it is very
|
certificate. The **--type** option defaults to creating *server* certs. It is
|
||||||
likely that the *--alt-name* option will be useful to set X.509v3 subjectAltName
|
likely that the **--alt-name** option (which sets X.509v3 subjectAltName DNS
|
||||||
DNS records for other hostnames for the server. Both the server hostname and
|
records for other hostnames for the server) will be useful; it may also be used
|
||||||
any alternative names will be fully-qualified to **CA\_DOMAIN** if they do not
|
when creating *client* certs. Both the server hostname and any alternative
|
||||||
contain any dots, but if unqualified names are passed in they are also
|
names will be fully-qualified to **CA\_DOMAIN** if they do not contain any dots
|
||||||
preserved as alternative DNS names in the certificate. The private key may be
|
unless the **--no-qualify** option is used. If unqualified names are passed in
|
||||||
encrypted with 3DES, and optionally the certificate, key, and CA certificate
|
they are preserved as alternative DNS names in the certificate. The private key
|
||||||
can be bundled together into a PKCS#12 format certificate archive. By default
|
may be encrypted with 3DES using the **--encrypt** option, and the certificate,
|
||||||
certificates are valid for 365 days from signing, but this may be changed with
|
key, and CA certificate can be bundled together into a PKCS#12 format
|
||||||
the *--days* option.
|
certificate archive by passing **--pkcs12**. By default certificates are valid
|
||||||
|
for 365 days from signing, but this may be changed with the **--days** option.
|
||||||
|
|
||||||
The certificate's DN can be completely changed from the defaults provided by
|
The certificate's DN can be completely changed from the defaults provided by
|
||||||
**ca-scripts.conf**(5), but be wary as by default the generated openssl config
|
**ca-scripts.conf**(5), but be wary as by default the generated openssl config
|
||||||
|
|
@ -122,20 +124,19 @@ signed. In the future it is possible (even likely) that this renewal method
|
||||||
will only be used on *user* type certificates, and the *server* and *client*
|
will only be used on *user* type certificates, and the *server* and *client*
|
||||||
types will be renewed normally. If the current renewal method doesn't provide
|
types will be renewed normally. If the current renewal method doesn't provide
|
||||||
sufficient security, the current certificate should be revoked and a new one
|
sufficient security, the current certificate should be revoked and a new one
|
||||||
generated that is valid for the correct period of time using the *--days* option
|
generated that is valid for the correct period of time using the **--days**
|
||||||
to **ca-create-cert**(1).
|
option to **ca-create-cert**(1).
|
||||||
|
|
||||||
As with the certificate creation script the *--type* option is mandatory for
|
As with the certificate creation script a Common Name can be passed to
|
||||||
**ca-renew-cert**(1), but the argument may be either a hostname, a username or a
|
identify the certificate to renew; alternatively the path to a previously
|
||||||
path to a certificate. Internally this will be resolved to the correct
|
created certificate can be given. Internally these will be both be resolved to
|
||||||
information required for certificate renewal.
|
the correct information required for certificate renewal.
|
||||||
|
|
||||||
Revoking a certificate
|
Revoking a certificate
|
||||||
----------------------
|
----------------------
|
||||||
|
|
||||||
To revoke a certificate and re-generate the CA certficate revocation list in
|
To revoke a certificate and re-generate the CA certficate revocation list in
|
||||||
both PEM and DER encodings, invoke **ca-revoke-cert**(1), again providing the
|
both PEM and DER encodings, invoke **ca-revoke-cert**(1), again providing a
|
||||||
*--type* option and either the hostname, username or the path to the certificate
|
Common Name or the path to the certificate to be revoked. Along with
|
||||||
to be revoked. Along with **ca-init**(1) this script can optionally generate a
|
**ca-init**(1) this script can optionally generate a basic HTML template to
|
||||||
basic HTML template to serve the CA certificate and CRL with verifiable MD5 and
|
serve the CA certificate and CRL with verifiable MD5 and SHA1 checksums.
|
||||||
SHA1 checksums.
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue