Commit Diff


commit - e58a447a28a416ee719a9e457bfc8160a9b0e771
commit + e308526cf63d7cbbabaa4bf93bae45a27fb58d4b
blob - 726b0cb77e829effb300234bca94a0b4e6b157bd
blob + 510e599ba1aa79e88dad9e8f4320fdf677f7d9af
--- gmid.1
+++ gmid.1
@@ -645,10 +645,26 @@ EOF
 $ chmod +x docs/cgi/hello
 $ gmid -x '/cgi/*' docs
 .Ed
+.Pp
+An X.509 certificate must be provided to run
+.Nm
+using a configuration file.
+First, the RSA certificate is created using a wildcard common name:
+.Bd -literal -offset indent
+# openssl genrsa \-out /etc/ssl/private/example.com.key 4096
+# openssl req \-new \-x509 \-key /etc/ssl/private/example.com.key \e
+	\-out /etc/ssl/example.com.crt \-days 36500 \-nodes \-subj "/CN=*.com"
+# chmod 600 /etc/ssl/example.com.crt
+# chmod 600 /etc/ssl/private/example.com.key
+.Ed
+.Pp
+In the example above, a certificate is valid for one hundred years from
+the date it was created, which is normal for TOFU.
 .Pp
 The following is an example of a possible configuration for a site
 that enables only TLSv1.3, adds a mime type for the file extension
-"rtf" and defines two virtual host:
+.Qq rtf
+and defines two virtual host:
 .Bd -literal -offset indent
 ipv6 on		# enable ipv6
 
@@ -657,14 +673,14 @@ protocols "tlsv1.3"
 map "application/rtf" to-ext "rtf"
 
 server "example.com" {
-	cert "/path/to/cert.pem"
-	key  "/path/to/key.pem"
+	cert "/etc/ssl/example.com.crt"
+	key  "/etc/ssl/private/example.com.key"
 	root "/var/gemini/example.com"
 }
 
 server "it.example.com" {
-	cert "/path/to/cert.pem"
-	key  "/path/to/key.pem"
+	cert "/etc/ssl/example.com.crt"
+	key  "/etc/ssl/private/example.com.key"
 	root "/var/gemini/it.example.com"
 
 	# enable cgi scripts inside "cgi-bin"