mirrors/caddy-website
1
0
Fork 0
mirror of https://github.com/caddyserver/website.git synced 2025-04-22 04:56:17 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

docs: tls: revise doc of trusted_* directives (#168)

Browse source 
1. The *_file directives expects a regular PEM file, not a DER- or base64-encoded one.
2. The rejection condition was condensed.
This commit is contained in:
favonia 2021-06-07 13:24:27 -05:00 committed by GitHub
parent e132c5c454
commit 4491b9ef3b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/docs/markdown/caddyfile/directives/tls.md
View file

@ -86,12 +86,12 @@ tls [internal|<email>] | [<cert_file> <key_file>] {
Default: `require_and_verify` if any `trusted_ca_cert` or `trusted_leaf_cert` are provided; otherwise, `require`.
- **trusted_ca_cert** is a base64 DER-encoded CA certificate against which to validate client certificates. Client certificates which are not signed by any of these CAs will be rejected.
- **trusted_ca_cert_file** is a base64 DER-encoded CA certificate file against which to validate client certificates. Client certificates which are not signed by any of these CAs will be rejected.
- **trusted_leaf_cert** is a base64 DER-encoded client leaf certificate to accept. Client certificates which are not signed by any of these CAs will be rejected.
- **trusted_leaf_cert_file** is a base64 DER-encoded CA certificate file against which to validate client certificates. Client certificates which are not signed by any of these CAs will be rejected.
- **trusted_ca_cert** is a base64 DER-encoded CA certificate against which to validate client certificates.
- **trusted_ca_cert_file** is a path to a PEM CA certificate file against which to validate client certificates.
- **trusted_leaf_cert** is a base64 DER-encoded client leaf certificate to accept.
- **trusted_leaf_cert_file** is a path to a PEM CA certificate file against which to validate client certificates.
Multiple `trusted_*` directives may be specified as a way to chain multiple CA or leaf certificates.
Multiple `trusted_*` directives may be used to specify multiple CA or leaf certificates. Client certificates which are not listed as one of the leaf certificates or signed by any of the specified CAs will be rejected according to the **mode**.
- **issuer** configures a custom certificate issuer, or a source from which to obtain certificates. Which issuer is used and the options that follow in this segment depend on the issuer modules that are available (see below for the standard issuers; plugins may add others). Some of the other subdirectives such as `ca` and `dns` are actually shortcuts for configuring the `acme` issuer (and this subdirective was added later), so specifying this directive and some of the others is confusing and thus prohibited. This subdirective can be specified multiple times to configure multiple, redundant issuers; if one fails to issue a cert, the next one will be tried.