Changeset - 08ba658f3c35
Parent rev.
Child rev.
[Not reviewed]
0 2 0
Branko Majic (branko) - 6 years ago 2018-05-04 22:45:43
branko@majic.rs
GC-23: Updated documentation related to move of --update-dns-option from server to renew command:

- Updated the server command usage instructions to include reference
to --update-dns-option in the renew command.
- Added relevant documentation on use of the --update-dns-names option
to the usage instructions for renew command.
- Update the CLI examples.
2 files changed with 25 insertions and 26 deletions:
docs/usage.rst
18
19
gimmecert/cli.py
7
7
0 comments (0 inline, 0 general)
docs/usage.rst
Show inline comments
 
@@ -214,21 +214,12 @@ Key usage and extended key usage in certificate are set typical TLS
 
server use (e.g. *digital signature* + *key encipherment* for KU, and
 
*TLS WWW server authentication* for EKU).
 

			




	
	
	
		
 
Rerunning the command will not overwrite existing data. However, if

			




	
	
	
		
 
you made a mistake with additional DNS subject alternative names, you

			




	
	
	
		
 
can easily fix this with the ``--update-dns-names`` option::

			




	
	
	
		
 

			




	
	
	
		
 
  # Replace existing additional names.

			




	
	
	
		
 
  gimmecert server --update-dns-names myserver correctname.example.com

			




	
	
	
		
 

			




	
	
	
		
 
  # Remove additional names altogether.

			




	
	
	
		
 
  gimmecert server --update-dns-names myserver

			




	
	
	
		
 
Rerunning the command will not overwrite existing data.

			




	
	
	
		
 

			




	
	
	
		
 
The ``--update-dns-command`` will keep the private key intact - only

			




	
	
	
		
 
the certificate will be renewed. If you haven't issued any certificate

			




	
	
	
		
 
for this server entity before, though, the option is ignored, and the

			




	
	
	
		
 
command behaves as if it was not specified (so you still get a private

			




	
	
	
		
 
key and certificate).

			




	
	
	
		
 
.. note::

			




	
	
	
		
 
   For changing the list of additional subject alternative names

			




	
	
	
		
 
   included in already issued server certificates, see the

			




	
	
	
		
 
   ``--update-dns-names`` option in the ``gimmecert renew`` command.

			




	
	
	
		
 

			




	
	
	
		
 
In addition to generating a private key, it is also possible to

			




	
	
	
		
 
pass-in a certificate signing request (CSR). If specified path is a

			




	
	
		
 
@@ -319,11 +310,6 @@ The command will:

			




	
	
	
		
 
- Overwrite the existing certificate with a new one.

			




	
	
	
		
 
- Show information where the artifacts can be grabbed from.

			




	
	
	
		
 

			




	
	
	
		
 
.. note::

			




	
	
	
		
 
   For changing the list of additional subject alternative names

			




	
	
	
		
 
   included in server certificates, see the ``--update-dns-names`` for

			




	
	
	
		
 
   the ``gimmecert server`` command.

			




	
	
	
		
 

			




	
	
	
		
 
To also generate a new private key during renewal, use the

			




	
	
	
		
 
``--new-private-key`` or ``-p`` option. For example::

			




	
	
	
		
 

			




	
	
		
 
@@ -339,6 +325,19 @@ example::

			




	
	
	
		
 
  gimmecert renew --csr - server myserver < /tmp/myserver.csr.pem

			




	
	
	
		
 
  gimmecert renew --csr - client myclient

			




	
	
	
		
 

			




	
	
	
		
 
If you initially made a mistake when providing additional DNS subject

			




	
	
	
		
 
alternative names for a server certificate, you can easily fix this

			




	
	
	
		
 
with the ``--update-dns-names`` or ``-u`` option::

			




	
	
	
		
 

			




	
	
	
		
 
  # Replace existing additional names with just one name.

			




	
	
	
		
 
  gimmecert renew server --update-dns-names "correctname.example.com" myserver

			




	
	
	
		
 

			




	
	
	
		
 
  # Replace existing additional names with mutliple names.

			




	
	
	
		
 
  gimmecert renew server --update-dns-names "correctname1.example.com,correctname2.example.com" myserver 

			




	
	
	
		
 

			




	
	
	
		
 
  # Remove additional names altogether.

			




	
	
	
		
 
  gimmecert renew server --update-dns-names "" myserver

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
Getting information about CA hierarchy and issued certificates

			




	
	
	
		
 
--------------------------------------------------------------

			




        

    


    
    

    

        

                

                    gimmecert/cli.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -57,16 +57,16 @@ Examples:

			




	
	
	
		
 
    # Issue a TLS client certificate by using public key from the CSR (naming/extensions are ignored).

			




	
	
	
		
 
    gimmecert client myclient --csr /tmp/myclient.csr.pem

			




	
	
	
		
 

			




	
	
	
		
 
    # Renew a TLS server certificate with updated DNS subject alternative names. Keeps the private key if any.

			




	
	
	
		
 
    # Renew a TLS server certificate, preserving naming and private key.

			




	
	
	
		
 
    gimmecert renew server myserver

			




	
	
	
		
 

			




	
	
	
		
 
    # Renew a TLS server certificate, replacing the extra DNS names, but keeping the private key.

			




	
	
	
		
 
    gimmecert server myserver wrongdns.local

			




	
	
	
		
 
    gimmecert server --update-dns-names myserver correctdns1.local correctdns2.local

			




	
	
	
		
 
    gimmecert renew server myserver --update-dns-names "correctdns1.local,correctdns2.local"

			




	
	
	
		
 

			




	
	
	
		
 
    # Renew a TLS server certificate removing extra DNS subject alternative names. Keeps the private key if any.

			




	
	
	
		
 
    # Renew a TLS server certificate, removing extra DNS subject alternative names, but keeping the private key.

			




	
	
	
		
 
    gimmecert server myserver dontneedthisname.local

			




	
	
	
		
 
    gimmecert server myserver --update-dns-names

			




	
	
	
		
 

			




	
	
	
		
 
    # Renew a TLS server certificate, preserving naming and private key.

			




	
	
	
		
 
    gimmecert renew server myserver

			




	
	
	
		
 
    gimmecert renew server myserver --update-dns-names ""

			




	
	
	
		
 

			




	
	
	
		
 
    # Renew a TLS client certificate, preserving naming and private key.

			




	
	
	
		
 
    gimmecert renew client myclient

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.