diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-08 16:55:38 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-08 16:56:15 +0200 |
| commit | 68be536de1bad4d224f4db6b40f6bdf1e7341445 (patch) | |
| tree | 62e0e842cf5312d29e80d4246df80d18056c32ee /src/certtool-args.def | |
| parent | 76f3f3783b06a111661ce06a593bffd30d51637e (diff) | |
| download | gnutls-68be536de1bad4d224f4db6b40f6bdf1e7341445.tar.gz | |
Certtool can generate a DANE RR entry.
Diffstat (limited to 'src/certtool-args.def')
| -rw-r--r-- | src/certtool-args.def | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index f802dcc255..ac40d78a45 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -353,6 +353,49 @@ flag = { doc = "Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour."; }; +flag = { + name = dane-rr; + descrip = "Print the DANE RR data on a certificate or public key"; + flags_must = dane-host; + doc = "This command prints the DANE RR data needed to enable DANE on a DNS server."; +}; + +flag = { + name = dane-host; + descrip = "Specify the hostname to be used in the DANE RR"; + arg-type = string; + arg-name = "Hostname"; + doc = "This command sets the hostname for the DANE RR."; +}; + +flag = { + name = dane-proto; + descrip = "The protocol set for DANE data (tcp, udp etc.)"; + arg-type = string; + arg-name = "Protocol"; + doc = "This command specifies the protocol for the service set in the DANE data."; +}; + +flag = { + name = dane-port; + arg-type = number; + descrip = "Specify the port number for the DANE data."; + default-value = 443; + doc = ""; +}; + +flag = { + name = dane-ca; + descrip = "Whether the provided certificate or public key is a Certificate authority."; + doc = "Marks the DANE RR as a CA certificate if specified."; +}; + +flag = { + name = dane-local; + descrip = "Whether the provided certificate or public key is an unsigned local entity."; + doc = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local entity."; +}; + doc-section = { ds-type = 'SEE ALSO'; ds-format = 'texi'; @@ -481,6 +524,25 @@ To verify a Certificate Revocation List (CRL) do: @example $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem @end example + +@subheading DANE RR generation +To create a DANE resource record for a CA signed certificate use the following commands. + +@example +$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem +@end example + +For a self signed certificate use: +@example +$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \ + --dane-local +@end example + +In order to create a record for the signer of your certificate use: +@example +$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \ + --dane-ca +@end example _EOT_; }; |