Notes on trust-anchor-uri-with-key

svn path=/rcynic/README; revision=2769
author: Rob Austein <sra@hactrn.net> 2009-09-18 16:11:54 +0000
committer: Rob Austein <sra@hactrn.net> 2009-09-18 16:11:54 +0000
commit: 542101e52047d6e27077da3038c595255915f97c (patch)
tree: 0d43bad5eb0f2bc5ee3107f0ac6a7a8e2f5236fa /rcynic
parent: 6e9d51ff2be4c05100798764b7407ca31d0828fb (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/rcynic/README b/rcynic/README
index 5bff8e58..fe7d20b9 100644
--- a/rcynic/README
+++ b/rcynic/README
@@ -412,3 +412,21 @@ is to add the following lines to /etc/rc.conf:
     altlog_proglist="named rcynic"
     rcynic_chrootdir="/var/rcynic"
     rcynic_enable="YES"
+
+
+
+If you're using the experimental trust-anchor-uri-with-key trust
+anchor format, you'll need a copy of the public key in DER format.
+One can extract this from an X.509 format trust anchor using the
+OpenSSL command line tool, but the path is poorly documented.  Try
+something like this:
+
+  $ openssl x509 -inform DER -in foo.cer -pubkey -noout | openssl rsa -outform DER -pubin -out foo.key
+
+The important bits here are:
+
+a) You're asking the x509 command to extract the public key and send
+   it (in PEM format) to stdout without the rest of the certificate
+
+b) You're asking the rsa command to read a public key (in PEM format)
+   on stdin, convert it to DER format and write it out.
author	Rob Austein <sra@hactrn.net>	2009-09-18 16:11:54 +0000
committer	Rob Austein <sra@hactrn.net>	2009-09-18 16:11:54 +0000
commit	542101e52047d6e27077da3038c595255915f97c (patch)
tree	0d43bad5eb0f2bc5ee3107f0ac6a7a8e2f5236fa /rcynic
parent	6e9d51ff2be4c05100798764b7407ca31d0828fb (diff)