From 9a4fe03c186bb403debc7022885d5201cf0b69c5 Mon Sep 17 00:00:00 2001
From: rsiddharth <s@ricketyspace.net>
Date: Mon, 3 Feb 2020 17:34:01 -0500
Subject: README.md: Update 'How to use the signing script' section.

Update this section to reflect the ACME v2 version of the
`sign_csr.py` script.
---
 README.md | 37 ++++++++++++++++---------------------
 1 file changed, 16 insertions(+), 21 deletions(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 4b8d939..57d4f28 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ already have user account key with Let's Encrypt, you can skip this
 step.
 
 ```sh
-openssl genrsa 4096 > user.key
+openssl genrsa -aes256 4096 > user.key
 openssl rsa -in user.key -pubout > user.pub
 ```
 
@@ -67,39 +67,34 @@ and CSR for your domain, you can skip this step.
 
 ```sh
 #Create a CSR for example.com
-openssl genrsa 4096 > domain.key
+openssl genrsa -aes256 4096 > domain.key
 openssl req -new -sha256 -key domain.key -subj "/CN=example.com" > domain.csr
 
 #Alternatively, if you want both example.com and www.example.com
-openssl genrsa 4096 > domain.key
+openssl genrsa -aes256 4096 > domain.key
 openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) > domain.csr
 ```
 
 Third, you run the script using python and passing in the path to your user
-account public key and the domain CSR. The paths can be relative or absolute.
-By default the script will ask you to start a webserver on port 80.  If you
-already have one, use the `--file-based` option instead.
+account private key, email address, and the domain CSR. The paths can be
+relative or absolute.
 
 ```sh
-python3 sign_csr.py --public-key user.pub domain.csr > signed.crt
+python3 sign_csr.py --account-key user.key --email mail@example.com domain.csr > signed.crt
 ```
 
-When you run the script, it will ask you do do some manual commands. It has to
-ask you to do these because it doesn't know your private key or have access to
-your server. You can edit the manual commands to fit your situation (e.g. if
-your sudo user is different or private key is in a different location).
+When you run the script, it will:
 
-NOTE: When the script asks you to run these manual commands, you need to run
-them in a separate terminal window. You need to keep the script open while you
-run them. They sign temporary test files that the script created, so if you exit
-or continue the script before you run the commands, those test files will be
-destroyed before they can be used correctly (and you'll have to run the script
-again).
+ - Register you with Let's Encrypt using the email address.
 
-The `*.json` and `*.sig` files are temporary files automatically generated by
-the script and will be destroyed when the script stops. They only contain the
-protocol requests and signatures. They do NOT contain your private keys
-because this script does not have access to your private keys.
+ - If the `user.key` is encrypted, openssl will ask for the passphrase every time
+   the private key is used for signing requests or data.
+
+ - Ask you to provision a HTTP resource on your web server for the domain for
+   the ACME HTTP challenge.
+
+ - Will write the certificate to `signed.crt` if ACME HTTP challenge is
+   successful.
 
 ### Help text
 ```
-- 
cgit v1.2.3