From b399fbee737ebe99491bf1370002bbff00a784e0 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 1 Dec 2016 14:26:37 +0100
Subject: "fingerprint" now only pins the cert's SPKI, not the cert itself.

---
 interimap.md | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

(limited to 'interimap.md')

diff --git a/interimap.md b/interimap.md
index 7d119ab..b923933 100644
--- a/interimap.md
+++ b/interimap.md
@@ -345,12 +345,19 @@ Valid options are:
 
 *SSL_fingerprint*
 
-:   Fingerprint of the server certificate (or its public key) in the
-    form `[ALGO$]DIGEST_HEX`, where `ALGO` is the used algorithm
-    (by default `sha256`).
+:   Fingerprint of the server certificate's Subject Public Key Info, in
+    the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by
+    default `sha256`).
     Attempting to connect to a server with a non-matching certificate
-    fingerprint causes `interimap` to abort the connection during the
-    SSL/TLS handshake.
+    SPKI fingerprint causes `interimap` to abort the connection during
+    the SSL/TLS handshake.
+
+    You can use the following command to compute the SHA-256 digest of
+    certificate's Subject Public Key Info.
+
+        openssl x509 -in /path/to/server/certificate.pem -pubkey \
+        | openssl pkey -pubin -outform DER \
+        | openssl dgst -sha256
 
 *SSL_verify*
 
-- 
cgit v1.2.3