diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/invoke-certtool.texi | 2 | ||||
| -rw-r--r-- | doc/invoke-danetool.texi | 41 |
2 files changed, 31 insertions, 12 deletions
diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi index c04c1d7f8e..ebdcdedcca 100644 --- a/doc/invoke-certtool.texi +++ b/doc/invoke-certtool.texi @@ -6,7 +6,7 @@ # # DO NOT EDIT THIS FILE (invoke-certtool.texi) # -# It has been AutoGen-ed March 7, 2013 at 02:56:55 AM by AutoGen 5.16 +# It has been AutoGen-ed March 7, 2013 at 11:22:22 AM by AutoGen 5.16 # From the definitions ../src/certtool-args.def # and the template file agtexi-cmd.tpl @end ignore diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi index cb34077cd7..b063e56358 100644 --- a/doc/invoke-danetool.texi +++ b/doc/invoke-danetool.texi @@ -6,7 +6,7 @@ # # DO NOT EDIT THIS FILE (invoke-danetool.texi) # -# It has been AutoGen-ed March 1, 2013 at 05:06:53 PM by AutoGen 5.16 +# It has been AutoGen-ed March 7, 2013 at 11:03:39 PM by AutoGen 5.16 # From the definitions ../src/danetool-args.def # and the template file agtexi-cmd.tpl @end ignore @@ -66,7 +66,11 @@ USAGE: danetool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... --ca Whether the provided certificate or public key is a Certificate Authority. --x509 Use the hash of the X.509 certificate, rather than the public key. - --local The provided certificate or public key is a local entity. + --local This is an alias for 'domain' + - enabled by default + --domain The provided certificate or public key is issued by the local domain. + - disabled as --no-domain + - enabled by default -v, --version[=arg] Output version information and exit -h, --help Display extended usage information and exit -!, --more-help Extended usage information passed thru pager @@ -191,8 +195,22 @@ This option forces the generated record to contain the hash of the full X.509 ce @anchor{danetool local} @subsubheading local option -This is the ``the provided certificate or public key is a local entity.'' option. -DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity. +This is an alias for the domain option, +@pxref{danetool domain, the domain option documentation}. + +@anchor{danetool domain} +@subsubheading domain option + +This is the ``the provided certificate or public key is issued by the local domain.'' option. + +@noindent +This option has some usage constraints. It: +@itemize @bullet +@item +is enabled by default. +@end itemize + +DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved. @anchor{danetool exit status} @subsubheading danetool exit status @@ -211,26 +229,27 @@ The operation failed or the command syntax was not valid. @subsubheading danetool Examples @subsubheading DANE TLSA RR generation -To create a DANE TLSA resource record for a CA signed certificate use the following commands. - +To create a DANE TLSA resource record for a certificate (or public key) +that was issued localy and may or may not be signed by a CA use the following command. @example $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem @end example -For a self signed certificate use: +To create a DANE TLSA resource record for a CA signed certificate, which will +be marked as such use the following command. @example $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \ - --local + --no-domain @end example -The latter is useful to add in your DNS entry even if your certificate is signed +The former is useful to add in your DNS entry even if your certificate is signed by a CA. That way even users who do not trust your CA will be able to verify your certificate using DANE. -In order to create a record for the signer of your certificate use: +In order to create a record for the CA signer of your certificate use the following. @example $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \ - --ca + --ca --no-domain @end example To read a server's DANE TLSA entry, use: |