documentation: emphasize default values in the config file.

Also, move the most common options ('hash', 'keyUsage', 'CAfile',
'min-days') to the default section.

3 files changed, 30 insertions, 19 deletions

diff --git a/Changelog b/Changelog
index a2cd0bb..f94e81e 100644
--- a/Changelog
+++ b/Changelog
@@ -7,6 +7,9 @@ lacme (0.7.1) upstream;
    just RSA; hint at which key algorithms are supported.
  - documentation: clarify that "file:/path/to/account.key" can point to
    a symmetrically-encrypted private key.
+ - documentation: emphasize default values in the config file, and move
+   the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to
+   the default section.
 
  -- Guilhem Moulin <guilhem@fripost.org>  Wed, 09 Dec 2020 18:23:22 +0100
 
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index 232c85b..3e7a577 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -1,13 +1,27 @@
 # Each non-default section refer to separate certificate issuance
 # requests. Options in the default section apply to each sections.
 
-# Message digest to sign the Certificate Signing Request with.
+# Message digest to sign the Certificate Signing Request with,
+# overriding the req(1ssl) default.
 #
-#hash = sha512
+#hash =
 
-# Comma-separated list of Key Usages, see x509v3_config(5ssl).
+# Comma-separated list of Key Usages, for instance "digitalSignature,
+# keyEncipherment", to include in the Certificate Signing Request.
+# See x509v3_config(5ssl) for a list of possible values.
 #
-#keyUsage = digitalSignature, keyEncipherment
+#keyUsage =
+
+# Path to the bundle of trusted issuer certificates.  This is used for
+# validating each certificate after issuance or renewal.  Specifying an
+# empty value skips certificate validation.
+#
+#CAfile = @@datadir@@/lacme/ca-certificates.crt
+
+# For an existing certificate, the minimum number of days before its
+# expiration date the section is considered for re-issuance.
+#
+#min-days = 21
 
 
 #[www]
@@ -25,16 +39,6 @@
 #
 #certificate-chain = /etc/nginx/ssl/srv.chain.pem
 
-# For an existing certificate, the minimum number of days before its
-# expiration date the section is considered for re-issuance.
-#
-#min-days = 21
-
-# Path to trusted issuer certificates, used for validating each issued
-# certificate.  Specifying an empty value skips certificate validation.
-#
-#CAfile = @@datadir@@/lacme/ca-certificates.crt
-
 # Subject field of the Certificate Signing Request.  This option is
 # required.
 #
diff --git a/lacme.8.md b/lacme.8.md
index d98ec8e..5e32dcb 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -366,18 +366,21 @@ Valid options are:
 
 *CAfile*
 
-:   Path to trusted issuer certificates, used for validating each issued
-    certificate.  Specifying an empty values skips certificate validation.
+:   Path to the bundle of trusted issuer certificates.  This is used for
+    validating each certificate after issuance or renewal.  Specifying
+    an empty value skips certificate validation.
     Default: `@@datadir@@/lacme/ca-certificates.crt`.
 
 *hash*
 
-:   Message digest algorithm to sign the Certificate Signing Request
-    with.
+:   Message digest to sign the Certificate Signing Request with,
+    overriding the [`req`(1ssl)] default.
 
 *keyUsage*
 
-:   Comma-separated list of Key Usages, see [`x509v3_config`(5ssl)].
+:   Comma-separated list of Key Usages, for instance `digitalSignature,
+    keyEncipherment`, to include in the Certificate Signing Request.
+    See [`x509v3_config`(5ssl)] for a list of possible values.
 
 *subject*
 
@@ -425,3 +428,4 @@ See also
 [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
 [`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html
 [`genpkey`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html
+[`req`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-req.html