From ebcdb73bc5494398ab9203d6caf3057ef5f1168b Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 24 Jul 2013 12:47:51 -0700 Subject: updated CSR notes --- docs/platform/guide.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/docs/platform/guide.md b/docs/platform/guide.md index dae392e..da515a4 100644 --- a/docs/platform/guide.md +++ b/docs/platform/guide.md @@ -165,12 +165,12 @@ The `ca` option in provider.json provides settings used when generating CAs and "digest": "SHA256", "life_span": "10y", "server_certificates": { - "bit_size": 2024, + "bit_size": 2048, "digest": "SHA256", "life_span": "1y" }, "client_certificates": { - "bit_size": 2024, + "bit_size": 2048, "digest": "SHA256", "life_span": "2m", "limited_prefix": "LIMITED", @@ -180,7 +180,7 @@ The `ca` option in provider.json provides settings used when generating CAs and To see what values are used for your provider, run `leap inspect provider.json`. You can modify the defaults as you wish by adding the values to provider.json. -NOTE: A certificate `bit_size` greater than 2024 will probably not be recognized by most commercial CAs. +NOTE: A certificate `bit_size` greater than 2048 will probably not be recognized by most commercial CAs. Certificate Authorities ----------------------------------------- @@ -245,6 +245,18 @@ The private key file is extremely sensitive and care should be taken with its pr If your commercial CA has a chained CA cert, you should be OK if you just put the **last** cert in the chain into the `commercial_ca.crt` file. This only works if the other CAs in the chain have certs in the debian package `ca-certificates`, which is the case for almost all CAs. +If you want to add additional fields to the CSR, like country, city, or locality, you can configure these values in provider.json like so: + + "ca": { + "server_certificates": { + "country": "US", + "state": "Washington", + "locality": "Seattle" + } + } + +If they are not present, the CSR will be created without them. + Facts ============================== -- cgit v1.2.3