diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-09 19:11:22 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-09 19:11:22 +0200 |
commit | c9fab8a8b9a4e2abd8c8c8e00c3b7a0203660021 (patch) | |
tree | 527626028c0936396618ab7e9b7b2c22a24f1a5a /src/certtool-args.def | |
parent | d1922841f4226039c9eaf402d2c426dc25b8c8cc (diff) | |
download | gnutls-c9fab8a8b9a4e2abd8c8c8e00c3b7a0203660021.tar.gz |
Certtool updates.
By default generate public key TLSA RR entries. Added --verbose option.
Diffstat (limited to 'src/certtool-args.def')
-rw-r--r-- | src/certtool-args.def | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index 949cf0c644..cfc9ffc65b 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -10,6 +10,7 @@ explain = ""; #define INFILE_OPT 1 #define OUTFILE_OPT 1 +#define VERBOSE_OPT 1 #include args-std.def flag = { @@ -391,6 +392,12 @@ flag = { }; flag = { + name = dane-full-x509; + descrip = "Use the hash of the full X.509 certificate, rather than the public key."; + doc = "This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used."; +}; + +flag = { name = dane-local; descrip = "Whether the provided certificate or public key is an unsigned local entity."; doc = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local entity."; @@ -526,6 +533,8 @@ $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem @end example @subheading DANE TLSA RR generation + + To create a DANE TLSA resource record for a CA signed certificate use the following commands. @example @@ -538,6 +547,10 @@ $ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \ --dane-local @end example +The latter is useful to add in your DNS entry even if your certificate is signed +by a CA. That way even users who do not trust your CA will be able to verify your +certificate using DANE. + In order to create a record for the signer of your certificate use: @example $ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \ |