From d311282ac118130ba792d68805c35f98b97a1602 Mon Sep 17 00:00:00 2001
From: "Chris St. Pierre" <chris.a.st.pierre@gmail.com>
Date: Tue, 6 Nov 2012 09:50:41 -0500
Subject: improved SSLCA cert.xml/key.xml docs

---
 doc/server/plugins/generators/sslca.txt | 70 ++++++++++++++++++++++++++++++++-
 1 file changed, 68 insertions(+), 2 deletions(-)

diff --git a/doc/server/plugins/generators/sslca.txt b/doc/server/plugins/generators/sslca.txt
index 4c1845406..2b07f91fe 100644
--- a/doc/server/plugins/generators/sslca.txt
+++ b/doc/server/plugins/generators/sslca.txt
@@ -113,6 +113,9 @@ that CA must contain full (not relative) paths.
 Configuration
 =============
 
+bcfg2.conf
+----------
+
 ``bcfg2.conf`` contains miscellaneous configuration options for the
 SSLCA plugin. These are described in some detail above in
 `getting-started`, but are also enumerated here as a reference.  Any
@@ -138,6 +141,69 @@ Each directive below should appear at most once in each
 
 Only ``config`` is required.
 
+cert.xml
+--------
+
+``cert.xml`` is an XML document describing an SSL certificate
+generated from an SSL key that has also been generated by SSLCA.  It
+contains a top-level ``CertInfo`` tag that contains a single ``Cert``
+tag.  (``Group`` and ``Client`` tags are not currently supported in
+``cert.xml``.)  The ``Cert`` tag may take the following attributes:
+
++--------------+------------------------------------------+---------+---------+
+| Attribute    | Description                              | Values  | Default |
++==============+==========================================+=========+=========+
+| key          | The full path to the key to use for this | String  | None    |
+|              | certificate. This is the only required   |         |         |
+|              | attribute.                               |         |         |
++--------------+------------------------------------------+---------+---------+
+| format       | The format of cert to produce. Currently | 'pem'   | 'pem'   |
+|              | only pem certificates are supported.     |         |         |
++--------------+------------------------------------------+---------+---------+
+| ca           | The name of the CA (from ``bcfg2.conf``) | String  | default |
+|              | to use to generate this certificate.     |         |         |
++--------------+------------------------------------------+---------+---------+
+| days         | Time (in days) the certificate should be | Integer | 365     |
+|              | valid for                                |         |         |
++--------------+------------------------------------------+---------+---------+
+| c            | Override the country set in the CA       | String  | None    |
+|              | config                                   |         |         |
++--------------+------------------------------------------+---------+---------+
+| l            | Override the location set in the CA      | String  | None    |
+|              | config                                   |         |         |
++--------------+------------------------------------------+---------+---------+
+| st           | Override the state set in the CA config  | String  | None    |
++--------------+------------------------------------------+---------+---------+
+| ou           | Override the organizational unit set in  | String  | None    |
+|              | the CA config                            |         |         |
++--------------+------------------------------------------+---------+---------+
+| o            | Override the organization set in the CA  | String  | None    |
+|              | config                                   |         |         |
++--------------+------------------------------------------+---------+---------+
+| emailaddress | Override the email address set in the CA | String  | None    |
+|              | config                                   |         |         |
++--------------+------------------------------------------+---------+---------+
+| append_chain | Append the CA chain certificate to the   | Boolean | False   |
+|              | certificate (e.g., to produce a cert in  |         |         |
+|              | the format required by Nginx)            |         |         |
++--------------+------------------------------------------+---------+---------+
+
+key.xml
+-------
+
+``key.xml`` is an XML document describing an SSL key.  It contains a
+top-level ``KeyInfo`` tag that contains a single ``Key`` tag.
+(``Group`` and ``Client`` tags are not currently supported in
+``key.xml``.)  The ``Key`` tag may take the following attributes:
+
++--------------+------------------------------------------+---------+---------+
+| Attribute    | Description                              | Values  | Default |
++==============+==========================================+=========+=========+
+| type         | The key type                             | rsa|dsa | 'rsa'   |
++--------------+------------------------------------------+---------+---------+
+| bits         | The key length                           | Integer | 2048    |
++--------------+------------------------------------------+---------+---------+
+
 Automated Bcfg2 SSL Authentication
 ==================================
 
@@ -192,7 +258,7 @@ paths should be adjusted to suite your preferences.
     mv bcfg2ca.key /etc/pki/CA/private/
     mv bcfg2ca.crt /etc/pki/CA/certs/
 
-Your self-signing CA is now ready to use. 
+Your self-signing CA is now ready to use.
 
 Bcfg2
 -----
@@ -227,7 +293,7 @@ example:
     <Path name='/etc/pki/tls/bcfg2client.crt'/>
     <Path name='/etc/pki/tls/private/bcfg2client.key'/>
 
-Here's a more complete example bcfg2-client bundle: 
+Here's a more complete example bcfg2-client bundle:
 
 .. code-block:: xml
 
-- 
cgit v1.2.3-1-g7c22