From 5336c981b167858c3bb08b1ac4d94a700fd407a9 Mon Sep 17 00:00:00 2001
From: "Chris St. Pierre" <chris.a.st.pierre@gmail.com>
Date: Mon, 3 Dec 2012 17:08:02 -0600
Subject: SSLCA improvements: Added support for Group/Client tags in
 cert.xml/key.xml Added support for explicit subjectAltNames in cert.xml
 Reorganized code to make generally more like other GroupSpool plugins

---
 doc/server/plugins/generators/sslca.txt | 63 +++++++++++++++++++++++++++++----
 1 file changed, 56 insertions(+), 7 deletions(-)

(limited to 'doc')

diff --git a/doc/server/plugins/generators/sslca.txt b/doc/server/plugins/generators/sslca.txt
index 2b07f91fe..85659982e 100644
--- a/doc/server/plugins/generators/sslca.txt
+++ b/doc/server/plugins/generators/sslca.txt
@@ -146,9 +146,15 @@ cert.xml
 
 ``cert.xml`` is an XML document describing an SSL certificate
 generated from an SSL key that has also been generated by SSLCA.  It
-contains a top-level ``CertInfo`` tag that contains a single ``Cert``
-tag.  (``Group`` and ``Client`` tags are not currently supported in
-``cert.xml``.)  The ``Cert`` tag may take the following attributes:
+honors ``Group`` and ``Client`` tags much like Bundler.  It must have
+a top-level ``CertInfo`` tag and can contain two types of tags:
+
+Cert
+~~~~
+
+The ``Cert`` tag explains how the certificate should be generated.
+There should be at least one ``Cert`` tag, and at most one ``Cert``
+tag should apply to any given client.
 
 +--------------+------------------------------------------+---------+---------+
 | Attribute    | Description                              | Values  | Default |
@@ -188,13 +194,42 @@ tag.  (``Group`` and ``Client`` tags are not currently supported in
 |              | the format required by Nginx)            |         |         |
 +--------------+------------------------------------------+---------+---------+
 
+SubjectAltName
+~~~~~~~~~~~~~~
+
+The ``SubjectAltName`` tag contains text giving a subject alternative
+name for the certificate.  Any number of ``SubjectAltName`` tags may
+be used.
+
+Example
+~~~~~~~
+
+.. code-block: xml
+
+    <CertInfo>
+      <SubjectAltName>test.example.com</SubjectAltName>
+      <Group name="apache">
+        <Cert key="/etc/pki/tls/private/foo.key" days="730"/>
+      </Group>
+      <Group name="nginx">
+        <Cert key="/etc/pki/tls/private/foo.key" days="730"
+              append_chain="true"/>
+      </Group>
+    </CertInfo>
+
 key.xml
 -------
 
-``key.xml`` is an XML document describing an SSL key.  It contains a
-top-level ``KeyInfo`` tag that contains a single ``Key`` tag.
-(``Group`` and ``Client`` tags are not currently supported in
-``key.xml``.)  The ``Key`` tag may take the following attributes:
+``key.xml`` is an XML document describing an SSL key.  It also honors
+``Group`` and ``Client`` tags.  It contains a top-level ``KeyInfo``
+tag that contains at least one ``Key`` tag.
+
+Key
+~~~
+
+The ``Cert`` tag explains how the certificate should be generated.
+There should be at least one ``Cert`` tag, and at most one ``Cert``
+tag should apply to any given client.
 
 +--------------+------------------------------------------+---------+---------+
 | Attribute    | Description                              | Values  | Default |
@@ -204,6 +239,20 @@ top-level ``KeyInfo`` tag that contains a single ``Key`` tag.
 | bits         | The key length                           | Integer | 2048    |
 +--------------+------------------------------------------+---------+---------+
 
+Example
+~~~~~~~
+
+.. code-block: xml
+
+    <KeyInfo>
+      <Group name="fast">
+        <Key type="rsa" bits="1024"/>
+      </Group>
+      <Group name="secure">
+        <Key type="rsa" bits="4096"/>
+      </Group>
+    </KeyInfo>
+
 Automated Bcfg2 SSL Authentication
 ==================================
 
-- 
cgit v1.2.3-1-g7c22