[ca] Update documentation.

author Jakub Czajka <jakub@ekhem.eu.org>

Tue, 16 Dec 2025 12:54:16 +0000 (13:54 +0100)

committer Jakub Czajka <jakub@ekhem.eu.org>

Tue, 16 Dec 2025 14:45:06 +0000 (15:45 +0100)
author Jakub Czajka <jakub@ekhem.eu.org>
Tue, 16 Dec 2025 12:54:16 +0000 (13:54 +0100)
committer Jakub Czajka <jakub@ekhem.eu.org>
Tue, 16 Dec 2025 14:45:06 +0000 (15:45 +0100)
diff --git a/ca/README b/ca/README

index f39ff05eabf29f501a26c39c7a21337df837cd84..e9a7b02c6d17fac1d2d5876a7c567c383a301de9 100644 (file)
--- a/ca/README
+++ b/ca/README
@@ -7,7 +7,7 @@ Install
  -------
  
  Answer "." to each option except for `commonName`. Enter a password. `.pem` is an
-instance of `.crt` [1].
+instance of `.crt` [1]. Add `-nodes` to `req` to generate a key without password.
  
  ```
  $ sudo --preserve-env openssl req -x509 -config ca.cnf -new -days 3650 -sha256 \
@@ -37,9 +37,9 @@ add an extensions [5].
  
  ```
  $ sudo --preserve-env openssl req -config ca.cnf -new \
-    -key certs/private/<name>.key -out certs/<name>.csr -extensions email_cert
-$ sudo --preserve-env openssl x509 -req -days 365 -sha256 -CA ca.pem \
-    -CAkey private/ca.key -next_serial -in <name>.csr -out <name>.crt \
+    -key private/<name>.key -out <name>.csr -extensions email_cert
+$ sudo --preserve-env openssl x509 -req -days 3650 -sha256 -CA ca.pem \
+    -CAkey private/<name>.key -next_serial -in <name>.csr -out <name>.crt \
      -extensions email_cert -extfile ca.cnf
  ```
  
@@ -51,7 +51,8 @@ browser [7]. Add `-legacy` to ensure algorithmic interoperability with legacy
  systems.
  
  ```
-$ openssl pkcs12 -export -legacy -inkey <name>.key -in <name>.crt -out <name>.p12
+$ openssl pkcs12 -export -legacy -inkey private/<name>.key -in <name>.crt \
+      -out <name>.p12
  ```
  
  Renew
author	Jakub Czajka <jakub@ekhem.eu.org>
	Tue, 16 Dec 2025 12:54:16 +0000 (13:54 +0100)
committer	Jakub Czajka <jakub@ekhem.eu.org>
	Tue, 16 Dec 2025 14:45:06 +0000 (15:45 +0100)