update documentation

author: Andrew Cady <d@jerkface.net> 2016-01-24 20:58:25 -0500
committer: Andrew Cady <d@jerkface.net> 2016-01-24 20:58:25 -0500
commit: be7a90d29c8a6da269d54f355cee11ce6e5eabc2 (patch)
tree: ee589a906c93f0a069823f744ffc181ad69a6e0f
parent: df216a65fcb97bb42f66fd50fb37166b3045bd39 (diff)
1 files changed, 30 insertions, 23 deletions
diff --git a/README.md b/README.md
index d2a6e03..9db3b7b 100644
--- a/README.md
+++ b/README.md
@@ -24,52 +24,59 @@ Available options:
                           (generated certificates will not be trusted!)
 ```
-This is a simple Haskell script to obtain a certificate from [Let's
+This program can be used to obtain a certificate from
-Encrypt](https://letsencrypt.org/) using their ACME protocol.
+[Let's Encrypt](https://letsencrypt.org/) using their ACME protocol.
+## Rate Limits
- The main source of information to write this was
+This tool supports multiple domain names per certificate. Note that `Let's
-  https://github.com/diafygi/letsencrypt-nosudo
+Encrypt` will not sign a certificate with more than 100 names; nor will it allow
+more than 100 names to be signed for a single domain (no matter how many
+certificates the names are spread across). Furthermore, you can only issue 5
+certificates per domain per week.
- The ACME spec: https://letsencrypt.github.io/acme-spec/
+The `Let's Encrypt` community documentation contains more
+[information about rate limits](https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769).
-## Generate user account keys
+## User account keys
-The needed keys will be automatically generated with HsOpenSSL. You can also
+Under ACME, each certificate request is associated with a private key used to
-pre-generate them manually, in which case they won't be overwritten:
+sign communications with the ACME server. The key is furthermore associated with
+an email address.
+Note: `Let's Encrypt` requires that this key be different from the key used for
+the certificate.
-```
+Use the `--email` command line argument to specify an email address to associate
-openssl genrsa 4096 > user.key
+with a private key.  If there is no private key, one will be generated;
-mkdir -p ${DOMAIN_NAME}
+otherwise, the existing one will be used.  This only needs to be done once per
-openssl genrsa 4096 > ${DOMAIN_NAME}/rsa.key
+private key.
-```
-## Send CSR 
+Currently, only RSA keys are supported by this tool.  You can generate compatible
+keys like this:
-The CSR will be automatically created.  You can also create it yourself with:
 ```
-> openssl req -new -sha256 -key ${DOMAIN}/rsa.key \
+openssl genrsa 4096 > user.key
-      -subj "/CN=aaa.reesd.com" -outform DER > ${DOMAIN}/csr.der
+mkdir -p ${DOMAIN}
+openssl genrsa 4096 > ${DOMAIN}/rsa.key
 ```
 ## Receive certificate
 The signed certificate will be saved by this program in
-``./${DOMAIN}/cert.der``. You can copy that file to the place your TLS server is
+``./${DOMAIN}/cert.der``. You can copy that file to the place your TLS
-configured to read it.
+server is configured to read it.
 You can also view the certificate like so:
 ```
-> openssl x509 -inform der -in ${DOMAIN}/cert.der  -noout -text | less
+openssl x509 -inform der -in ${DOMAIN}/cert.der  -noout -text | less
 ```
 ## Create a certificate for HAProxy
-Including explicit DH key exchange parameters to prevent Logjam attack
+Vo Minh Thu, the original author of this program, suggests to include explicit
-(https://weakdh.org/).
+DH key exchange parameters to prevent the [Logjam attack](https://weakdh.org/).
 ```
 > openssl x509 -inform der -in ${DOMAIN}/cert.der \
author	Andrew Cady <d@jerkface.net>	2016-01-24 20:58:25 -0500
committer	Andrew Cady <d@jerkface.net>	2016-01-24 20:58:25 -0500
commit	be7a90d29c8a6da269d54f355cee11ce6e5eabc2 (patch)
tree	ee589a906c93f0a069823f744ffc181ad69a6e0f
parent	df216a65fcb97bb42f66fd50fb37166b3045bd39 (diff)

diff --git a/README.md b/README.md index d2a6e03..9db3b7b 100644 --- a/README.md +++ b/README.md
@@ -24,52 +24,59 @@ Available options:
24	(generated certificates will not be trusted!)	24	(generated certificates will not be trusted!)
25	```	25	```
26		26
27	This is a simple Haskell script to obtain a certificate from [Let's	27	This program can be used to obtain a certificate from
28	Encrypt](https://letsencrypt.org/) using their ACME protocol.	28	[Let's Encrypt](https://letsencrypt.org/) using their ACME protocol.
29		29
		30	## Rate Limits
30		31
31	- The main source of information to write this was	32	This tool supports multiple domain names per certificate. Note that `Let's
32	https://github.com/diafygi/letsencrypt-nosudo	33	Encrypt` will not sign a certificate with more than 100 names; nor will it allow
		34	more than 100 names to be signed for a single domain (no matter how many
		35	certificates the names are spread across). Furthermore, you can only issue 5
		36	certificates per domain per week.
33		37
34	- The ACME spec: https://letsencrypt.github.io/acme-spec/	38	The `Let's Encrypt` community documentation contains more
		39	[information about rate limits](https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769).
35		40
36	## Generate user account keys	41	## User account keys
37		42
38	The needed keys will be automatically generated with HsOpenSSL. You can also	43	Under ACME, each certificate request is associated with a private key used to
39	pre-generate them manually, in which case they won't be overwritten:	44	sign communications with the ACME server. The key is furthermore associated with
		45	an email address.
40		46
		47	Note: `Let's Encrypt` requires that this key be different from the key used for
		48	the certificate.
41		49
42	```	50	Use the `--email` command line argument to specify an email address to associate
43	openssl genrsa 4096 > user.key	51	with a private key. If there is no private key, one will be generated;
44	mkdir -p ${DOMAIN_NAME}	52	otherwise, the existing one will be used. This only needs to be done once per
45	openssl genrsa 4096 > ${DOMAIN_NAME}/rsa.key	53	private key.
46	```
47		54
48	## Send CSR	55	Currently, only RSA keys are supported by this tool. You can generate compatible
49		56	keys like this:
50	The CSR will be automatically created. You can also create it yourself with:
51		57
52	```	58	```
53	> openssl req -new -sha256 -key ${DOMAIN}/rsa.key \	59	openssl genrsa 4096 > user.key
54	-subj "/CN=aaa.reesd.com" -outform DER > ${DOMAIN}/csr.der	60	mkdir -p ${DOMAIN}
		61	openssl genrsa 4096 > ${DOMAIN}/rsa.key
55	```	62	```
56		63
57	## Receive certificate	64	## Receive certificate
58		65
59	The signed certificate will be saved by this program in	66	The signed certificate will be saved by this program in
60	``./${DOMAIN}/cert.der``. You can copy that file to the place your TLS server is	67	``./${DOMAIN}/cert.der``. You can copy that file to the place your TLS
61	configured to read it.	68	server is configured to read it.
62		69
63	You can also view the certificate like so:	70	You can also view the certificate like so:
64		71
65	```	72	```
66	> openssl x509 -inform der -in ${DOMAIN}/cert.der -noout -text \| less	73	openssl x509 -inform der -in ${DOMAIN}/cert.der -noout -text \| less
67	```	74	```
68		75
69	## Create a certificate for HAProxy	76	## Create a certificate for HAProxy
70		77
71	Including explicit DH key exchange parameters to prevent Logjam attack	78	Vo Minh Thu, the original author of this program, suggests to include explicit
72	(https://weakdh.org/).	79	DH key exchange parameters to prevent the [Logjam attack](https://weakdh.org/).
73		80
74	```	81	```
75	> openssl x509 -inform der -in ${DOMAIN}/cert.der \	82	> openssl x509 -inform der -in ${DOMAIN}/cert.der \