Updates to README to reflect changes, misc. whitespace fixes.

This commit is contained in:
Alex Bramley 2010-03-13 18:04:59 +00:00
parent 3886d28224
commit c6a5ba2704
9 changed files with 51 additions and 50 deletions

View file

@ -83,19 +83,21 @@ for authenticating a client to these services; and *user* certificates for
authentication, S/MIME e-mail signing or encryption, and code signing. There
are minor but important differences in the key usage extensions present in
these different certificate types, details can be found in the documentation
for **ca-create-cert**(1).
for **ca-create-cert**(1). In each case, a Common Name must be provided to give
a unique name for the certificate.
**ca-create-cert**(1) takes a number of options to customise the generated
certificate. The *--type* option is mandatory, and for *server* certs it is very
likely that the *--alt-name* option will be useful to set X.509v3 subjectAltName
DNS records for other hostnames for the server. Both the server hostname and
any alternative names will be fully-qualified to **CA\_DOMAIN** if they do not
contain any dots, but if unqualified names are passed in they are also
preserved as alternative DNS names in the certificate. The private key may be
encrypted with 3DES, and optionally the certificate, key, and CA certificate
can be bundled together into a PKCS#12 format certificate archive. By default
certificates are valid for 365 days from signing, but this may be changed with
the *--days* option.
certificate. The **--type** option defaults to creating *server* certs. It is
likely that the **--alt-name** option (which sets X.509v3 subjectAltName DNS
records for other hostnames for the server) will be useful; it may also be used
when creating *client* certs. Both the server hostname and any alternative
names will be fully-qualified to **CA\_DOMAIN** if they do not contain any dots
unless the **--no-qualify** option is used. If unqualified names are passed in
they are preserved as alternative DNS names in the certificate. The private key
may be encrypted with 3DES using the **--encrypt** option, and the certificate,
key, and CA certificate can be bundled together into a PKCS#12 format
certificate archive by passing **--pkcs12**. By default certificates are valid
for 365 days from signing, but this may be changed with the **--days** option.
The certificate's DN can be completely changed from the defaults provided by
**ca-scripts.conf**(5), but be wary as by default the generated openssl config
@ -122,20 +124,19 @@ signed. In the future it is possible (even likely) that this renewal method
will only be used on *user* type certificates, and the *server* and *client*
types will be renewed normally. If the current renewal method doesn't provide
sufficient security, the current certificate should be revoked and a new one
generated that is valid for the correct period of time using the *--days* option
to **ca-create-cert**(1).
generated that is valid for the correct period of time using the **--days**
option to **ca-create-cert**(1).
As with the certificate creation script the *--type* option is mandatory for
**ca-renew-cert**(1), but the argument may be either a hostname, a username or a
path to a certificate. Internally this will be resolved to the correct
information required for certificate renewal.
As with the certificate creation script a Common Name can be passed to
identify the certificate to renew; alternatively the path to a previously
created certificate can be given. Internally these will be both be resolved to
the correct information required for certificate renewal.
Revoking a certificate
----------------------
To revoke a certificate and re-generate the CA certficate revocation list in
both PEM and DER encodings, invoke **ca-revoke-cert**(1), again providing the
*--type* option and either the hostname, username or the path to the certificate
to be revoked. Along with **ca-init**(1) this script can optionally generate a
basic HTML template to serve the CA certificate and CRL with verifiable MD5 and
SHA1 checksums.
both PEM and DER encodings, invoke **ca-revoke-cert**(1), again providing a
Common Name or the path to the certificate to be revoked. Along with
**ca-init**(1) this script can optionally generate a basic HTML template to
serve the CA certificate and CRL with verifiable MD5 and SHA1 checksums.