[mirror_ovs.git] / lib / ssl-bootstrap.man

.IP "\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem\fR"
When \fIcacert.pem\fR exists, this option has the same effect as
\fB\-C\fR or \fB\-\-ca\-cert\fR.  If it does not exist, then
\fB\*(PN\fR will attempt to obtain the CA certificate from the
SSL peer on its first SSL connection and save it to the named PEM
file.  If it is successful, it will immediately drop the connection
and reconnect, and from then on all SSL connections must be
authenticated by a certificate signed by the CA certificate thus
obtained.
.IP
\fBThis option exposes the SSL connection to a man-in-the-middle
attack obtaining the initial CA certificate\fR, but it may be useful
for bootstrapping.
.IP
This option is only useful if the SSL peer sends its CA certificate as
part of the SSL certificate chain.  The SSL protocol does not require
the server to send the CA certificate.
.IP
This option is mutually exclusive with \fB\-C\fR and
\fB\-\-ca\-cert\fR.
Commit	Line	Data
84ee7bcf BP	1	.IP "\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem\fR"
	2	When \fIcacert.pem\fR exists, this option has the same effect as
	3	\fB\-C\fR or \fB\-\-ca\-cert\fR. If it does not exist, then
	4	\fB\*(PN\fR will attempt to obtain the CA certificate from the
	5	SSL peer on its first SSL connection and save it to the named PEM
	6	file. If it is successful, it will immediately drop the connection
	7	and reconnect, and from then on all SSL connections must be
	8	authenticated by a certificate signed by the CA certificate thus
	9	obtained.
	10	.IP
	11	\fBThis option exposes the SSL connection to a man-in-the-middle
	12	attack obtaining the initial CA certificate\fR, but it may be useful
	13	for bootstrapping.
	14	.IP
	15	This option is only useful if the SSL peer sends its CA certificate as
	16	part of the SSL certificate chain. The SSL protocol does not require
1d5aaa61	17	the server to send the CA certificate.
84ee7bcf	18	.IP
4e312e69	19	This option is mutually exclusive with \fB\-C\fR and
84ee7bcf	20	\fB\-\-ca\-cert\fR.