From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Tue, 16 Dec 2025 12:54:16 +0000 (+0100)
Subject: [ca] Update documentation.
X-Git-Url: https://git.ekhem.eu.org/?a=commitdiff_plain;h=3d7bf76fff36d2d261703c05f5db2be15b8489d5;p=server.git

[ca] Update documentation.
---

diff --git a/ca/README b/ca/README
index f39ff05..e9a7b02 100644
--- a/ca/README
+++ b/ca/README
@@ -7,7 +7,7 @@ Install
 -------
 
 Answer "." to each option except for `commonName`. Enter a password. `.pem` is an
-instance of `.crt` [1].
+instance of `.crt` [1]. Add `-nodes` to `req` to generate a key without password.
 
 ```
 $ sudo --preserve-env openssl req -x509 -config ca.cnf -new -days 3650 -sha256 \
@@ -37,9 +37,9 @@ add an extensions [5].
 
 ```
 $ sudo --preserve-env openssl req -config ca.cnf -new \
-    -key certs/private/<name>.key -out certs/<name>.csr -extensions email_cert
-$ sudo --preserve-env openssl x509 -req -days 365 -sha256 -CA ca.pem \
-    -CAkey private/ca.key -next_serial -in <name>.csr -out <name>.crt \
+    -key private/<name>.key -out <name>.csr -extensions email_cert
+$ sudo --preserve-env openssl x509 -req -days 3650 -sha256 -CA ca.pem \
+    -CAkey private/<name>.key -next_serial -in <name>.csr -out <name>.crt \
     -extensions email_cert -extfile ca.cnf
 ```
 
@@ -51,7 +51,8 @@ browser [7]. Add `-legacy` to ensure algorithmic interoperability with legacy
 systems.
 
 ```
-$ openssl pkcs12 -export -legacy -inkey <name>.key -in <name>.crt -out <name>.p12
+$ openssl pkcs12 -export -legacy -inkey private/<name>.key -in <name>.crt \
+      -out <name>.p12
 ```
 
 Renew