aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Changelog3
-rw-r--r--config/lacme-certs.conf32
-rw-r--r--lacme.8.md14
3 files changed, 30 insertions, 19 deletions
diff --git a/Changelog b/Changelog
index a2cd0bb..f94e81e 100644
--- a/Changelog
+++ b/Changelog
@@ -7,6 +7,9 @@ lacme (0.7.1) upstream;
just RSA; hint at which key algorithms are supported.
- documentation: clarify that "file:/path/to/account.key" can point to
a symmetrically-encrypted private key.
+ - documentation: emphasize default values in the config file, and move
+ the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to
+ the default section.
-- Guilhem Moulin <guilhem@fripost.org> Wed, 09 Dec 2020 18:23:22 +0100
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index 232c85b..3e7a577 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -1,13 +1,27 @@
# Each non-default section refer to separate certificate issuance
# requests. Options in the default section apply to each sections.
-# Message digest to sign the Certificate Signing Request with.
+# Message digest to sign the Certificate Signing Request with,
+# overriding the req(1ssl) default.
#
-#hash = sha512
+#hash =
-# Comma-separated list of Key Usages, see x509v3_config(5ssl).
+# Comma-separated list of Key Usages, for instance "digitalSignature,
+# keyEncipherment", to include in the Certificate Signing Request.
+# See x509v3_config(5ssl) for a list of possible values.
#
-#keyUsage = digitalSignature, keyEncipherment
+#keyUsage =
+
+# Path to the bundle of trusted issuer certificates. This is used for
+# validating each certificate after issuance or renewal. Specifying an
+# empty value skips certificate validation.
+#
+#CAfile = @@datadir@@/lacme/ca-certificates.crt
+
+# For an existing certificate, the minimum number of days before its
+# expiration date the section is considered for re-issuance.
+#
+#min-days = 21
#[www]
@@ -25,16 +39,6 @@
#
#certificate-chain = /etc/nginx/ssl/srv.chain.pem
-# For an existing certificate, the minimum number of days before its
-# expiration date the section is considered for re-issuance.
-#
-#min-days = 21
-
-# Path to trusted issuer certificates, used for validating each issued
-# certificate. Specifying an empty value skips certificate validation.
-#
-#CAfile = @@datadir@@/lacme/ca-certificates.crt
-
# Subject field of the Certificate Signing Request. This option is
# required.
#
diff --git a/lacme.8.md b/lacme.8.md
index d98ec8e..5e32dcb 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -366,18 +366,21 @@ Valid options are:
*CAfile*
-: Path to trusted issuer certificates, used for validating each issued
- certificate. Specifying an empty values skips certificate validation.
+: Path to the bundle of trusted issuer certificates. This is used for
+ validating each certificate after issuance or renewal. Specifying
+ an empty value skips certificate validation.
Default: `@@datadir@@/lacme/ca-certificates.crt`.
*hash*
-: Message digest algorithm to sign the Certificate Signing Request
- with.
+: Message digest to sign the Certificate Signing Request with,
+ overriding the [`req`(1ssl)] default.
*keyUsage*
-: Comma-separated list of Key Usages, see [`x509v3_config`(5ssl)].
+: Comma-separated list of Key Usages, for instance `digitalSignature,
+ keyEncipherment`, to include in the Certificate Signing Request.
+ See [`x509v3_config`(5ssl)] for a list of possible values.
*subject*
@@ -425,3 +428,4 @@ See also
[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
[`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html
[`genpkey`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html
+[`req`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-req.html