On Wed, Mar 06, 2013 at 01:05:16PM +0000, Stuart Henderson wrote: > It's not entirely obvious that "-x509" actually means "produce a > csr, self-sign it (defaulting to SHA1), throw away the csr and write > the cert" and this had me stuck for a long time when I wanted to > play with DSA server certs. > > So here's a diff which moves DSA cert generation instructions > to the same style as RSA where the process is to produce a CSR and > tell people how to sign it in separate steps. It doesn't take much > longer and is clearer. > > As a bonus there are instructions for ECDSA cert generation. > > OK?
I'd like to mention in passing that I got bitten recently by the default lifetime limit of just 30 days for certs. I created my own CA but could only use it for one month :( Perhaps that could be mentioned. Or a -days option could be added to the example.
