diff options
Diffstat (limited to 'lib/ssl-peer-ca-cert.man')
| -rw-r--r-- | lib/ssl-peer-ca-cert.man | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/lib/ssl-peer-ca-cert.man b/lib/ssl-peer-ca-cert.man index cfdd915ec..5450b9ef4 100644 --- a/lib/ssl-peer-ca-cert.man +++ b/lib/ssl-peer-ca-cert.man @@ -1,12 +1,13 @@ .IP "\fB\-\-peer\-ca\-cert=\fIpeer-cacert.pem\fR" Specifies a PEM file that contains one or more additional certificates to send to SSL peers. \fIpeer-cacert.pem\fR should be the CA -certificate used to sign the \fB\*(PN\fR own certificate (the -certificate specified on \fB\-c\fR or \fB\-\-certificate\fR). +certificate used to sign \fB\*(PN\fR's own certificate, that is, the +certificate specified on \fB\-c\fR or \fB\-\-certificate\fR. If +\fB\*(PN\fR's certificate is self-signed, then \fB\-\-certificate\fR +and \fB\-\-peer\-ca\-cert\fR should specify the same file. .IP This option is not useful in normal operation, because the SSL peer must already have the CA certificate for the peer to have any -confidence in \fB\*(PN\fR's identity. However, this option allows a -newly installed switch to obtain the peer CA certificate on first boot -using, e.g., the \fB\-\-bootstrap\-ca\-cert\fR option to -\fBovs\-openflowd\fR(8). +confidence in \fB\*(PN\fR's identity. However, this offers a way for +a new installation to bootstrap the CA certificate on its first SSL +connection. |