commit b5d479f31504edc53f0e2dade4c50c987c5427de
parent e764d0345841b2c878f61813e540c698bbcfc444
Author: Johann150 <johann.galle@protonmail.com>
Date: Mon, 15 Nov 2021 19:52:33 +0100
change readme to make automatic cert gen more obvious
Diffstat:
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
@@ -66,6 +66,12 @@ When a client requests the URL `gemini://example.com/foo/bar`, Agate will respon
## Configuration
+### Automatic Ceritificate generation
+
+If the `--hostname` argument is used, Agate will generate keys and self signed certificates for each hostname specified. For Gemini it is recommended by the specification to use self signed certificates because Gemini uses the TOFU (Trust on first use) principle for certificates. Because of this, the generated certificates will also have a long expiration time of `4096-01-01`.
+
+For manual configuration of keys and certificates see the [section on certificates](#certificates) below.
+
### TLS versions
Agate by default supports TLSv1.2 and TLSv1.3. You can disable support for TLSv1.2 by using the flag `--only-tls13` (or its short version `-3`). This is *NOT RECOMMENDED* as it may break compatibility with some clients. The Gemini specification requires compatibility with TLSv1.2 "for now" because not all platforms have good support for TLSv1.3 (cf. ยง4.1 of the specification).
@@ -173,7 +179,6 @@ This would be understood like this:
Using a directory named just `.` causes undefined behaviour as this would have the same meaning as the top level certificate/key pair (pair (1) in the example above).
The files for a certificate/key pair have to be named `cert.der` and `key.der` respectively. The certificate has to be a X.509 certificate in a DER format file and has to include a subject alt name of the domain name. The private key has to be in DER format and must be either an RSA, ECDSA or Ed25519 key.
-If the `--hostname` argument is used, Agate will generate certificates and Ed25519 certificates for each hostname specified.
## Logging
