Updates to README to reflect changes, misc. whitespace fixes.
This commit is contained in:
Alex Bramley
parent
3886d28224
commit
c6a5ba2704
45
README.md
45
README.md
|
|
@ -83,19 +83,21 @@ for authenticating a client to these services; and *user* certificates for
|
|||
authentication, S/MIME e-mail signing or encryption, and code signing. There
|
||||
are minor but important differences in the key usage extensions present in
|
||||
these different certificate types, details can be found in the documentation
|
||||
for **ca-create-cert**(1).
|
||||
for **ca-create-cert**(1). In each case, a Common Name must be provided to give
|
||||
a unique name for the certificate.
|
||||
|
||||
**ca-create-cert**(1) takes a number of options to customise the generated
|
||||
certificate. The *--type* option is mandatory, and for *server* certs it is very
|
||||
likely that the *--alt-name* option will be useful to set X.509v3 subjectAltName
|
||||
DNS records for other hostnames for the server. Both the server hostname and
|
||||
any alternative names will be fully-qualified to **CA\_DOMAIN** if they do not
|
||||
contain any dots, but if unqualified names are passed in they are also
|
||||
preserved as alternative DNS names in the certificate. The private key may be
|
||||
encrypted with 3DES, and optionally the certificate, key, and CA certificate
|
||||
can be bundled together into a PKCS#12 format certificate archive. By default
|
||||
certificates are valid for 365 days from signing, but this may be changed with
|
||||
the *--days* option.
|
||||
certificate. The **--type** option defaults to creating *server* certs. It is
|
||||
likely that the **--alt-name** option (which sets X.509v3 subjectAltName DNS
|
||||
records for other hostnames for the server) will be useful; it may also be used
|
||||
when creating *client* certs. Both the server hostname and any alternative
|
||||
names will be fully-qualified to **CA\_DOMAIN** if they do not contain any dots
|
||||
unless the **--no-qualify** option is used. If unqualified names are passed in
|
||||
they are preserved as alternative DNS names in the certificate. The private key
|
||||
may be encrypted with 3DES using the **--encrypt** option, and the certificate,
|
||||
key, and CA certificate can be bundled together into a PKCS#12 format
|
||||
certificate archive by passing **--pkcs12**. By default certificates are valid
|
||||
for 365 days from signing, but this may be changed with the **--days** option.
|
||||
|
||||
The certificate's DN can be completely changed from the defaults provided by
|
||||
**ca-scripts.conf**(5), but be wary as by default the generated openssl config
|
||||
|
|
@ -122,20 +124,19 @@ signed. In the future it is possible (even likely) that this renewal method
|
|||
will only be used on *user* type certificates, and the *server* and *client*
|
||||
types will be renewed normally. If the current renewal method doesn't provide
|
||||
sufficient security, the current certificate should be revoked and a new one
|
||||
generated that is valid for the correct period of time using the *--days* option
|
||||
to **ca-create-cert**(1).
|
||||
generated that is valid for the correct period of time using the **--days**
|
||||
option to **ca-create-cert**(1).
|
||||
|
||||
As with the certificate creation script the *--type* option is mandatory for
|
||||
**ca-renew-cert**(1), but the argument may be either a hostname, a username or a
|
||||
path to a certificate. Internally this will be resolved to the correct
|
||||
information required for certificate renewal.
|
||||
As with the certificate creation script a Common Name can be passed to
|
||||
identify the certificate to renew; alternatively the path to a previously
|
||||
created certificate can be given. Internally these will be both be resolved to
|
||||
the correct information required for certificate renewal.
|
||||
|
||||
Revoking a certificate
|
||||
----------------------
|
||||
|
||||
To revoke a certificate and re-generate the CA certficate revocation list in
|
||||
both PEM and DER encodings, invoke **ca-revoke-cert**(1), again providing the
|
||||
*--type* option and either the hostname, username or the path to the certificate
|
||||
to be revoked. Along with **ca-init**(1) this script can optionally generate a
|
||||
basic HTML template to serve the CA certificate and CRL with verifiable MD5 and
|
||||
SHA1 checksums.
|
||||
both PEM and DER encodings, invoke **ca-revoke-cert**(1), again providing a
|
||||
Common Name or the path to the certificate to be revoked. Along with
|
||||
**ca-init**(1) this script can optionally generate a basic HTML template to
|
||||
serve the CA certificate and CRL with verifiable MD5 and SHA1 checksums.
|
||||
|
|
|
|||
Loading…
Reference in New Issue