From f62a66c6ce82d9a1af241dc3952250362e601d45 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 14 Feb 2021 23:46:40 +0100
Subject: Add support for TLS Feature extension from RFC 7633.

This is mostly useful for OCSP Must-Staple.
---
 lacme.8.md | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

(limited to 'lacme.8.md')

diff --git a/lacme.8.md b/lacme.8.md
index 76cdd0d..00a62a2 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -368,6 +368,18 @@ Valid options are:
     Default: the value of the CLI option `--min-days`, or `21` if there
     is no such option.
 
+*subject*
+
+:   Subject field of the Certificate Signing Request, in the form
+    `/type0=value0/type1=value1/type2=…`.  This option is required.
+
+*subjectAltName*
+
+:   Comma-separated list of Subject Alternative Names, in the form
+    `type0:value1,type1:value1,type2:…`
+    The only `type` currently supported is `DNS`, to specify an
+    alternative domain name.
+
 *CAfile*
 
 :   Path to the bundle of trusted issuer certificates.  This is used for
@@ -384,21 +396,15 @@ Valid options are:
 
 :   Comma-separated list of Key Usages, for instance `digitalSignature,
     keyEncipherment`, to include in the Certificate Signing Request.
-    See [`x509v3_config`(5ssl)] for a list of possible values.
-    See x509v3_config(5ssl) for a list of possible values.  Note that
-    the ACME might override the value provided here.
-
-*subject*
+    See [`x509v3_config`(5ssl)] for a list of possible values.  Note
+    that the ACME server might override the value provided here.
 
-:   Subject field of the Certificate Signing Request, in the form
-    `/type0=value0/type1=value1/type2=…`.  This option is required.
+*tlsfeature*
 
-*subjectAltName*
-
-:   Comma-separated list of Subject Alternative Names, in the form
-    `type0:value1,type1:value1,type2:…`
-    The only `type` currently supported is `DNS`, to specify an
-    alternative domain name.
+:   Comma-separated list of [TLS extension][TLS Feature extension]
+    identifiers, such as `status_request` for OCSP Must-Staple.
+    See [`x509v3_config`(5ssl)] for a list of possible values.  Note
+    that the ACME server might override the value provided here.
 
 *chown*
 
@@ -429,6 +435,7 @@ See also
 [`lacme-accountd`(1)]
 
 [ACME]: https://tools.ietf.org/html/rfc8555
+[TLS Feature extension]: https://tools.ietf.org/html/rfc7633
 [`lacme-accountd`(1)]: lacme-accountd.1.html
 [`iptables`(8)]: https://linux.die.net/man/8/iptables
 [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
-- 
cgit v1.2.3