From c1625aa7195fd581cabb154ab84e706002a421bd Mon Sep 17 00:00:00 2001 From: Sebastian Spaeth Date: Thu, 19 Jan 2012 10:15:04 +0100 Subject: [PATCH] DOCS: Tweak SSL FAQ a bit more Cleanup the previously added information. Signed-off-by: Sebastian Spaeth --- docs/FAQ.rst | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/docs/FAQ.rst b/docs/FAQ.rst index 4acad4e..8381681 100644 --- a/docs/FAQ.rst +++ b/docs/FAQ.rst @@ -288,33 +288,29 @@ How do I generate an `sslcacertfile` file? The `sslcacertfile` file must contain an SSL certificate (or a concatenated certificates chain) in PEM format. (See the documentation of -`ssl.wrap_socket`_'s `certfile` parameter for the gory details.) The following -command should generate a file in the proper format:: +`ssl.wrap_socket`_'s `certfile` parameter for the gory details.) You can use either openssl or gnutls to create a certificate file in the required format. +#. via openssl:: openssl s_client -CApath /etc/ssl/certs -connect ${hostname}:imaps -showcerts \ | perl -ne 'print if /BEGIN/../END/; print STDERR if /return/' > $sslcacertfile ^D -Before using the resulting file, ensure that openssl verified the certificate -successfully. +#. via gnutls:: + gnutls-cli --print-cert -p imaps ${host} $sslcacertfile The path `/etc/ssl/certs` is not standardized; your system may store SSL certificates elsewhere. (On some systems it may be in `/usr/local/share/certs/`.) -If this does not work and you are getting error messages, you can test the certificate using a command like (credits to Daniel Shahaf for this):: +Before using the resulting file, ensure that openssl verified the certificate +successfully. In case of problems, you can test the certificate using a command such as (credits to Daniel Shahaf for this) to verify the certificate:: % openssl s_client -CAfile $sslcacertfile -connect ${hostname}:imaps 2>&1