From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sat, 6 Dec 2025 23:16:08 +0000 (+0100)
Subject: [ca] Add -extfile.
X-Git-Url: https://git.ekhem.eu.org/?a=commitdiff_plain;h=69ade895830b3d42534b9d30b9f0839a2f31fdc1;p=server.git

[ca] Add -extfile.
---

diff --git a/ca/README b/ca/README
index f35deb0..f39ff05 100644
--- a/ca/README
+++ b/ca/README
@@ -25,11 +25,11 @@ Answer "." to each option except for `commonName`. Leave challenge password
 empty [2]. Subject alternative names can also be added [3].
 
 ```
-$ sudo --preserve-env openssl genrsa -out certs/private/<name>.key 4096
+$ sudo --preserve-env openssl genrsa -out private/<name>.key 4096
 $ sudo --preserve-env openssl req -config ca.cnf -new \
-    -key certs/private/<name>.key -out certs/<name>.csr
+    -key private/<name>.key -out <name>.csr
 $ sudo --preserve-env openssl x509 -req -days 365 -sha256 -CA ca.pem \
-    -CAkey private/ca.key -next_serial -in certs/<name>.csr -out certs/<name>.crt
+    -CAkey private/ca.key -next_serial -in <name>.csr -out <name>.crt
 ```
 
 Other output formats are also possible [4]. If generting an email certificate,
@@ -39,8 +39,8 @@ add an extensions [5].
 $ sudo --preserve-env openssl req -config ca.cnf -new \
     -key certs/private/<name>.key -out certs/<name>.csr -extensions email_cert
 $ sudo --preserve-env openssl x509 -req -days 365 -sha256 -CA ca.pem \
-    -CAkey private/ca.key -next_serial -in certs/<name>.csr \
-    -out certs/<name>.crt -extensions email_cert
+    -CAkey private/ca.key -next_serial -in <name>.csr -out <name>.crt \
+    -extensions email_cert -extfile ca.cnf
 ```
 
 Import