Certtool updates.

By default generate public key TLSA RR entries. Added --verbose option.

1 files changed, 13 insertions, 0 deletions

diff --git a/src/certtool-args.def b/src/certtool-args.def
index 949cf0c644..cfc9ffc65b 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -10,6 +10,7 @@ explain       = "";
 
 #define  INFILE_OPT    1
 #define  OUTFILE_OPT   1
+#define  VERBOSE_OPT 1
 #include args-std.def
 
 flag = {
@@ -391,6 +392,12 @@ flag = {
 };
 
 flag = {
+    name      = dane-full-x509;
+    descrip   = "Use the hash of the full X.509 certificate, rather than the public key.";
+    doc      = "This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used.";
+};
+
+flag = {
     name      = dane-local;
     descrip   = "Whether the provided certificate or public key is an unsigned local entity.";
     doc      = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local entity.";
@@ -526,6 +533,8 @@ $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
 @end example
 
 @subheading DANE TLSA RR generation
+
+
 To create a DANE TLSA resource record for a CA signed certificate use the following commands.
 
 @example
@@ -538,6 +547,10 @@ $ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \
   --dane-local
 @end example
 
+The latter is useful to add in your DNS entry even if your certificate is signed 
+by a CA. That way even users who do not trust your CA will be able to verify your
+certificate using DANE.
+
 In order to create a record for the signer of your certificate use:
 @example
 $ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \