Am 06.03.2013 um 19:23 schrieb Stefan Sperling <s...@openbsd.org>: > On Wed, Mar 06, 2013 at 01:05:16PM +0000, Stuart Henderson wrote: >> It's not entirely obvious that "-x509" actually means "produce a >> csr, self-sign it (defaulting to SHA1), throw away the csr and write >> the cert" and this had me stuck for a long time when I wanted to >> play with DSA server certs. >> >> So here's a diff which moves DSA cert generation instructions >> to the same style as RSA where the process is to produce a CSR and >> tell people how to sign it in separate steps. It doesn't take much >> longer and is clearer. >> >> As a bonus there are instructions for ECDSA cert generation. >> >> OK? > > I'd like to mention in passing that I got bitten recently > by the default lifetime limit of just 30 days for certs. > I created my own CA but could only use it for one month :(
Same happened to me a while ago. > Perhaps that could be mentioned. Or a -days option could be > added to the example. I agree, please mention and add the option. Regards, Joerg