Commit Diff

commit - e58a447a28a416ee719a9e457bfc8160a9b0e771
commit + e308526cf63d7cbbabaa4bf93bae45a27fb58d4b
blob - 726b0cb77e829effb300234bca94a0b4e6b157bd
blob + 510e599ba1aa79e88dad9e8f4320fdf677f7d9af
--- gmid.1
+++ gmid.1
@@ -645,10 +645,26 @@ EOF
 $ chmod +x docs/cgi/hello
 $ gmid -x '/cgi/*' docs
+An X.509 certificate must be provided to run
+using a configuration file.
+First, the RSA certificate is created using a wildcard common name:
+.Bd -literal -offset indent
+# openssl genrsa \-out /etc/ssl/private/ 4096
+# openssl req \-new \-x509 \-key /etc/ssl/private/ \e
+	\-out /etc/ssl/ \-days 36500 \-nodes \-subj "/CN=*.com"
+# chmod 600 /etc/ssl/
+# chmod 600 /etc/ssl/private/
+In the example above, a certificate is valid for one hundred years from
+the date it was created, which is normal for TOFU.
 The following is an example of a possible configuration for a site
 that enables only TLSv1.3, adds a mime type for the file extension
-"rtf" and defines two virtual host:
+.Qq rtf
+and defines two virtual host:
 .Bd -literal -offset indent
 ipv6 on		# enable ipv6
@@ -657,14 +673,14 @@ protocols "tlsv1.3"
 map "application/rtf" to-ext "rtf"
 server "" {
-	cert "/path/to/cert.pem"
-	key  "/path/to/key.pem"
+	cert "/etc/ssl/"
+	key  "/etc/ssl/private/"
 	root "/var/gemini/"
 server "" {
-	cert "/path/to/cert.pem"
-	key  "/path/to/key.pem"
+	cert "/etc/ssl/"
+	key  "/etc/ssl/private/"
 	root "/var/gemini/"
 	# enable cgi scripts inside "cgi-bin"