You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mi...@apache.org on 2018/02/26 14:10:51 UTC
svn commit: r1825373 - in /httpd/httpd/trunk/docs: man/ctlogconfig.8
manual/style/build.properties
Author: minfrin
Date: Mon Feb 26 14:10:51 2018
New Revision: 1825373
URL: http://svn.apache.org/viewvc?rev=1825373&view=rev
Log:
Add the ctlogconfig man page to the docs build.
Added:
httpd/httpd/trunk/docs/man/ctlogconfig.8
Modified:
httpd/httpd/trunk/docs/manual/style/build.properties
Added: httpd/httpd/trunk/docs/man/ctlogconfig.8
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/man/ctlogconfig.8?rev=1825373&view=auto
==============================================================================
--- httpd/httpd/trunk/docs/man/ctlogconfig.8 (added)
+++ httpd/httpd/trunk/docs/man/ctlogconfig.8 Mon Feb 26 14:10:51 2018
@@ -0,0 +1,149 @@
+.\" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+.\" DO NOT EDIT! Generated from XML source.
+.\" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "CTLOGCONFIG" 8 "@date@" "Apache HTTP Server" "ctlogconfig"
+
+.SH NAME
+ctlogconfig \- Certificate Transparency log configuration tool
+
+.SH "SYNOPSIS"
+  
+.PP
+\fBctlogconfig\fR \fI/path/to/db\fR \fBdump\fR
+ 
+.PP
+\fBctlogconfig\fR \fI/path/to/db\fR \fBconfigure-public-key\fR [ \fIlog-id\fR|\fIrecord-id\fR ] \fI/path/to/public-key\&.pem\fR
+ 
+.PP
+\fBctlogconfig\fR \fI/path/to/db\fR \fBconfigure-url\fR [ \fIlog-id\fR|\fIrecord-id\fR ] \fIlog-URL\fR
+ 
+.PP
+\fBctlogconfig\fR \fI/path/to/db\fR \fBvalid-time-range\fR \fIlog-id\fR|\fIrecord-id\fR \fImin-timestamp\fR \fImax-timestamp\fR
+ 
+.PP
+\fBctlogconfig\fR \fI/path/to/db\fR \fBtrust\fR \fIlog-id\fR|\fIrecord-id\fR
+ 
+.PP
+\fBctlogconfig\fR \fI/path/to/db\fR \fBdistrust\fR \fIlog-id\fR|\fIrecord-id\fR
+ 
+.PP
+\fBctlogconfig\fR \fI/path/to/db\fR \fBforget\fR \fIlog-id\fR|\fIrecord-id\fR
+ 
+ 
+.TP
+\fIlog-id\fR
+This is the id of the log, which is the SHA-256 hash of the log's public key, provided in hexadecimal format\&. This string is 64 characters in length\&.  
+.TP
+\fIrecord-id\fR
+This is the record number in the database, as displayed by the \fBdump\fR sub-command, prefixed with \fB#\fR\&. As an example, \fB#4\fR references the fourth record in the databa
se\&. (Use shell escaping as necessary\&.)  
+.TP
+\fI/path/to/public-key\&.pem\fR
+This is a file containing the log's public key in PEM format\&. The public key is not stored in the database\&. Instead, a reference to the file is stored\&. Thus, the file cann
11;t be removed until the public key in the database is removed or changed\&.  
+.TP
+\fImin-timestamp\fR, \fImax-timestamp\fR
+A timestamp is a time as expressed in the number of milliseconds since the epoch, ignoring leap seconds\&. This is the form of time used in Signed Certificate Timestamps\&. Th&
#105;s must be provided as a decimal number\&. Specify \fB-\fR for one of the timestamps if it is unknown\&. For example, when configuring the minimum valid timestamp for a log whi
;ch remains valid, specify \fB-\fR for \fImax-timestamp\fR\&. SCTs received from this log by the proxy are invalid if the timestamp is older than \fImin-timestamp\fR or newer th&
#97;n \fImax-timestamp\fR\&.  
+ 
+
+.SH "SUMMARY"
+ 
+.PP
+ctlogconfig is a tool for creating and maintaining a log configuration database, for use with mod_ssl_ct\&.
+ 
+.PP
+Refer first to Log configuration in the mod_ssl_ct documentation\&.
+ 
+.PP
+Refer to the examples below for typical use\&.
+ 
+
+.SH "SUB-COMMANDS"
+  
+ 
+.TP
+dump
+Display configuration database contents\&. The record id shown in the output of this sub-command can be used to identify the affected record in other sub-commands\&.  
+.TP
+configure-public-key
+Add a log's public key to the database or set the public key for an existing entry\&. The log's public key is needed to validate the signature of SCTs received by a proxy from 	
7; backend server\&. (The database will be created if it does not yet exist\&.)  
+.TP
+configure-url
+Add a log's URL to the database or set the URL for an existing entry\&. The log's URL is used when submitting server certificates to logs in order to obtain SCTs to send to clie&
#110;ts\&. (The database will be created if it does not yet exist\&.)  
+.TP
+valid-time-range
+Set the minimum valid time and/or the maximum valid time for a log\&. SCTs from the log with timestamps outside of the valid range will not be accepted\&. Use - for a time that&
#32;is not being configured\&. (The database will be created if it does not yet exist\&.)  
+.TP
+trust
+Mark a log as trusted, which is the default setting\&. This sub-command is used to reverse a \fIdistrust\fR setting\&. (The database will be created if it does not yet exist\&.)
  
+.TP
+distrust
+Mark a log as distrusted\&. (The database will be created if it does not yet exist\&.)  
+.TP
+forget
+Remove information about a log from the database\&.  
+ 
+.SH "EXAMPLES"
+  
+.PP
+Consider an Apache httpd instance which serves as a TLS server and a proxy\&. The TLS server needs to obtain SCTs from a couple of known logs in order to pass those to clients, &
#97;nd the proxy needs to be able to validate the signature of SCTs received from backend servers\&.
+ 
+.PP
+First we'll configure the URLs for logs where server certificates are logged:
+ 
+.nf
+
+    $ ctlogconfig /path/to/conf/log-config configure-url http://log1\&.example\&.com/
+    $ ctlogconfig /path/to/conf/log-config configure-url http://log2\&.example\&.com/
+    $ ctlogconfig /path/to/conf/log-config dump
+    Log entry:
+      Record 1
+      Log id         : (not configured)
+      Public key file: (not configured)
+      URL            : http://log1\&.example\&.com/
+      Time range     : -INF to +INF 
+    Log entry:
+      Record 2
+      Log id         : (not configured)
+      Public key file: (not configured)
+      URL            : http://log2\&.example\&.com/
+      Time range     : -INF to +INF 
+.fi
+ 
+.PP
+Next we'll set the public key of a log where the certificate of our only backend server is published\&. In this case it is the log with URL http://log2\&.example\&.com/ which ha&
#115; already been configured\&.
+ 
+.nf
+
+    $ ctlogconfig /path/to/conf/log-config configure-public-key \\
+    $ ctlogconfig /path/to/conf/log-config dump
+    Log entry:
+      Record 1
+      Log id         : (not configured)
+      Public key file: (not configured)
+      URL            : http://log1\&.example\&.com/
+      Time range     : -INF to +INF 
+    Log entry:
+      Record 2
+      Log id         : (not configured)
+      Public key file: /path/to/conf/log2-pub\&.pem
+      URL            : http://log2\&.example\&.com/
+      Time range     : -INF to +INF 
+.fi
+ 
Modified: httpd/httpd/trunk/docs/manual/style/build.properties
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/style/build.properties?rev=1825373&r1=1825372&r2=1825373&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/style/build.properties (original)
+++ httpd/httpd/trunk/docs/manual/style/build.properties Mon Feb 26 14:10:51 2018
@@ -10,6 +10,7 @@ retired = no
manpages.8 = \
apachectl \
+ ctlogconfig \
fcgistarter \
htcacheclean \
httpd \
Re: svn commit: r1825373 - in /httpd/httpd/trunk/docs: man/ctlogconfig.8 manual/style/build.properties
Posted by André Malo <nd...@perlig.de>.
* Yann Ylavic wrote:
> On Mon, Feb 26, 2018 at 3:10 PM, <mi...@apache.org> wrote:
> > +..
>
> oO
>
> For those who read the matrix? :)
However that happened... I just rebuilt it and it looks fine. Did you do
anything special with that file, minfrin?
Cheers,
--
> [...] weiß jemand zufällig, was der Tag DIV ausgeschrieben bedeutet?
DIVerses. Benannt nach all dem unstrukturierten Zeug, was die Leute da
so reinpacken und dann absolut positionieren ...
-- Florian Hartig und Lars Kasper in dciwam
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: svn commit: r1825373 - in /httpd/httpd/trunk/docs: man/ctlogconfig.8 manual/style/build.properties
Posted by André Malo <nd...@perlig.de>.
* Yann Ylavic wrote:
> On Mon, Feb 26, 2018 at 3:10 PM, <mi...@apache.org> wrote:
> > +..
>
> oO
>
> For those who read the matrix? :)
However that happened... I just rebuilt it and it looks fine. Did you do
anything special with that file, minfrin?
Cheers,
--
> [...] weiß jemand zufällig, was der Tag DIV ausgeschrieben bedeutet?
DIVerses. Benannt nach all dem unstrukturierten Zeug, was die Leute da
so reinpacken und dann absolut positionieren ...
-- Florian Hartig und Lars Kasper in dciwam
Re: svn commit: r1825373 - in /httpd/httpd/trunk/docs:
man/ctlogconfig.8 manual/style/build.properties
Posted by Yann Ylavic <yl...@gmail.com>.
On Mon, Feb 26, 2018 at 3:10 PM, <mi...@apache.org> wrote:
> Author: minfrin
> Date: Mon Feb 26 14:10:51 2018
> New Revision: 1825373
>
> URL: http://svn.apache.org/viewvc?rev=1825373&view=rev
> Log:
> Add the ctlogconfig man page to the docs build.
>
> Added:
> httpd/httpd/trunk/docs/man/ctlogconfig.8
> Modified:
> httpd/httpd/trunk/docs/manual/style/build.properties
>
> Added: httpd/httpd/trunk/docs/man/ctlogconfig.8
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/man/ctlogconfig.8?rev=1825373&view=auto
> ==============================================================================
> --- httpd/httpd/trunk/docs/man/ctlogconfig.8 (added)
> +++ httpd/httpd/trunk/docs/man/ctlogconfig.8 Mon Feb 26 14:10:51 2018
> @@ -0,0 +1,149 @@
> +.\" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> +.\" DO NOT EDIT! Generated from XML source.
> +.\" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> +.de Sh \" Subsection
> +.br
> +.if t .Sp
> +.ne 5
> +.PP
> +\fB\\$1\fR
> +.PP
> +..
oO
For those who read the matrix? :)