summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorrsiddharth <s@ricketyspace.net>2020-02-03 17:34:01 -0500
committerrsiddharth <s@ricketyspace.net>2020-02-03 17:34:01 -0500
commit9a4fe03c186bb403debc7022885d5201cf0b69c5 (patch)
tree6b85df4a951604524607ec9ab865d16485d89cdc
parente084c0e36a70e3d38ef888926bb75fbd37e85d4c (diff)
README.md: Update 'How to use the signing script' section.
Update this section to reflect the ACME v2 version of the `sign_csr.py` script.
-rw-r--r--README.md37
1 files changed, 16 insertions, 21 deletions
diff --git a/README.md b/README.md
index 4b8d939..57d4f28 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ already have user account key with Let's Encrypt, you can skip this
step.
```sh
-openssl genrsa 4096 > user.key
+openssl genrsa -aes256 4096 > user.key
openssl rsa -in user.key -pubout > user.pub
```
@@ -67,39 +67,34 @@ and CSR for your domain, you can skip this step.
```sh
#Create a CSR for example.com
-openssl genrsa 4096 > domain.key
+openssl genrsa -aes256 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/CN=example.com" > domain.csr
#Alternatively, if you want both example.com and www.example.com
-openssl genrsa 4096 > domain.key
+openssl genrsa -aes256 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) > domain.csr
```
Third, you run the script using python and passing in the path to your user
-account public key and the domain CSR. The paths can be relative or absolute.
-By default the script will ask you to start a webserver on port 80. If you
-already have one, use the `--file-based` option instead.
+account private key, email address, and the domain CSR. The paths can be
+relative or absolute.
```sh
-python3 sign_csr.py --public-key user.pub domain.csr > signed.crt
+python3 sign_csr.py --account-key user.key --email mail@example.com domain.csr > signed.crt
```
-When you run the script, it will ask you do do some manual commands. It has to
-ask you to do these because it doesn't know your private key or have access to
-your server. You can edit the manual commands to fit your situation (e.g. if
-your sudo user is different or private key is in a different location).
+When you run the script, it will:
-NOTE: When the script asks you to run these manual commands, you need to run
-them in a separate terminal window. You need to keep the script open while you
-run them. They sign temporary test files that the script created, so if you exit
-or continue the script before you run the commands, those test files will be
-destroyed before they can be used correctly (and you'll have to run the script
-again).
+ - Register you with Let's Encrypt using the email address.
-The `*.json` and `*.sig` files are temporary files automatically generated by
-the script and will be destroyed when the script stops. They only contain the
-protocol requests and signatures. They do NOT contain your private keys
-because this script does not have access to your private keys.
+ - If the `user.key` is encrypted, openssl will ask for the passphrase every time
+ the private key is used for signing requests or data.
+
+ - Ask you to provision a HTTP resource on your web server for the domain for
+ the ACME HTTP challenge.
+
+ - Will write the certificate to `signed.crt` if ACME HTTP challenge is
+ successful.
### Help text
```