From 79edb6eea5e009e5b49876728f7477a8524e98ec Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 19:51:56 +0100 Subject: documentation: emphasize default values in the config file. Also, move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section. --- config/lacme-certs.conf | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) (limited to 'config/lacme-certs.conf') diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 232c85b..3e7a577 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -1,13 +1,27 @@ # Each non-default section refer to separate certificate issuance # requests. Options in the default section apply to each sections. -# Message digest to sign the Certificate Signing Request with. +# Message digest to sign the Certificate Signing Request with, +# overriding the req(1ssl) default. # -#hash = sha512 +#hash = -# Comma-separated list of Key Usages, see x509v3_config(5ssl). +# Comma-separated list of Key Usages, for instance "digitalSignature, +# keyEncipherment", to include in the Certificate Signing Request. +# See x509v3_config(5ssl) for a list of possible values. # -#keyUsage = digitalSignature, keyEncipherment +#keyUsage = + +# Path to the bundle of trusted issuer certificates. This is used for +# validating each certificate after issuance or renewal. Specifying an +# empty value skips certificate validation. +# +#CAfile = @@datadir@@/lacme/ca-certificates.crt + +# For an existing certificate, the minimum number of days before its +# expiration date the section is considered for re-issuance. +# +#min-days = 21 #[www] @@ -25,16 +39,6 @@ # #certificate-chain = /etc/nginx/ssl/srv.chain.pem -# For an existing certificate, the minimum number of days before its -# expiration date the section is considered for re-issuance. -# -#min-days = 21 - -# Path to trusted issuer certificates, used for validating each issued -# certificate. Specifying an empty value skips certificate validation. -# -#CAfile = @@datadir@@/lacme/ca-certificates.crt - # Subject field of the Certificate Signing Request. This option is # required. # -- cgit v1.2.3 From e751a1e0215342be52da2c086ad2e7bc8901229e Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 20:10:30 +0100 Subject: s/\.pem$/.crt/ --- config/lacme-certs.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'config/lacme-certs.conf') diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 3e7a577..038d685 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -32,12 +32,12 @@ # Where to store the issued certificate (in PEM format). # -#certificate = /etc/nginx/ssl/srv.pem +#certificate = /etc/nginx/ssl/srv.crt # Where to store the issued certificate along with its chain of trust # (in PEM format). # -#certificate-chain = /etc/nginx/ssl/srv.chain.pem +#certificate-chain = /etc/nginx/ssl/srv.chain.crt # Subject field of the Certificate Signing Request. This option is # required. @@ -65,7 +65,7 @@ #[smtp] #certificate-key = /etc/postfix/ssl/srv.key -#certificate-chain = /etc/postfix/ssl/srv.pem +#certificate-chain = /etc/postfix/ssl/srv.crt #subject = /CN=smtp.example.org #notify = /bin/systemctl reload postfix -- cgit v1.2.3 From 681bf10e103b84b278491e6fff88e9d600ada72d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Feb 2021 22:13:31 +0100 Subject: Improve keyUsage documentation. --- config/lacme-certs.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'config/lacme-certs.conf') diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 038d685..91c2b3d 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -8,7 +8,8 @@ # Comma-separated list of Key Usages, for instance "digitalSignature, # keyEncipherment", to include in the Certificate Signing Request. -# See x509v3_config(5ssl) for a list of possible values. +# See x509v3_config(5ssl) for a list of possible values. Note that the +# ACME might override the value provided here. # #keyUsage = -- cgit v1.2.3 From 4a502836164821b9faa56d363c8fb116ce032321 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 19 Feb 2021 18:11:09 +0100 Subject: Wording: s/option/setting/. --- config/lacme-certs.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'config/lacme-certs.conf') diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 91c2b3d..5259690 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -1,5 +1,5 @@ # Each non-default section refer to separate certificate issuance -# requests. Options in the default section apply to each sections. +# requests. Settings in the default section apply to each sections. # Message digest to sign the Certificate Signing Request with, # overriding the req(1ssl) default. @@ -27,7 +27,7 @@ #[www] -# Path the service's private key. This option is required. +# Path the service's private key. This setting is required. # #certificate-key = /etc/nginx/ssl/srv.key @@ -40,7 +40,7 @@ # #certificate-chain = /etc/nginx/ssl/srv.chain.crt -# Subject field of the Certificate Signing Request. This option is +# Subject field of the Certificate Signing Request. This setting is # required. # #subject = /CN=example.org -- cgit v1.2.3