aboutsummaryrefslogtreecommitdiffstats
path: root/lacme.8.md
diff options
context:
space:
mode:
Diffstat (limited to 'lacme.8.md')
-rw-r--r--lacme.8.md26
1 files changed, 22 insertions, 4 deletions
diff --git a/lacme.8.md b/lacme.8.md
index 4098662..c1bea54 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -332,11 +332,28 @@ Valid options are:
*certificate-key*
-: Path the service's private key. This option is required. The
- following command can be used to generate a new 4096-bits RSA key in
- PEM format with mode 0600:
+: Path to the service's private key. This option is required. The
+ [`genpkey`(1ssl)] command can be used to generate a new service RSA
+ key:
- openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/srv.key
+ $ install -vm0600 /dev/null /path/to/service.rsa.key
+ $ openssl genpkey -algorithm RSA -out /path/to/service.rsa.key
+
+ Alternatively, for an ECDSA key using the NIST P-256 curve:
+
+ $ install -vm0600 /dev/null /path/to/service.ecdsa.key
+ $ openssl genpkey -algorithm EC -out /path/to/service.ecdsa.key \
+ -pkeyopt ec_paramgen_curve:P-256 \
+ -pkeyopt ec_param_enc:named_curve
+
+ `lacme` supports any key algorithm than the underlying libssl
+ (OpenSSL) version is able to manipulate, but the [ACME] server might
+ reject CSRs associated with private keys of deprecated and/or
+ “exotic” algorithms.
+
+ For a dual cert setup (for instance RSA+ECDSA), duplicate the
+ certificate section and use a distinct *certificate-key* resp.
+ *certificate* (or *certificate-chain*) value for each key algorithm.
*min-days*
@@ -407,3 +424,4 @@ See also
[`iptables`(8)]: https://linux.die.net/man/8/iptables
[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
[`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html
+[`genpkey`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html