From a432773c8a76e42f875adee19ebd6d401883184d Mon Sep 17 00:00:00 2001
From: "C. McEnroe" <june@causal.agency>
Date: Sat, 1 Aug 2020 18:15:17 -0400
Subject: Document concatenating client certificates for auth

This is actually the better approach since certificates can easily be
removed from the file.
---
 pounce.1 | 33 +++++++++++++++++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

diff --git a/pounce.1 b/pounce.1
index 6190d6d..59c8728 100644
--- a/pounce.1
+++ b/pounce.1
@@ -1,4 +1,4 @@
-.Dd July  6, 2020
+.Dd August  1, 2020
 .Dt POUNCE 1
 .Os
 .
@@ -427,7 +427,36 @@ not to the server.
 .Ss Generating Client Certificates
 .Bl -enum
 .It
-Generate a self-signed certificate authority (CA):
+Generate self-signed client certificates and private keys:
+.Bd -literal -offset indent
+pounce -g client1.pem
+pounce -g client2.pem
+.Ed
+.It
+Concatenate the certificate public keys into a CA file:
+.Bd -literal -offset indent
+openssl x509 -subject -in client1.pem >> auth.pem
+openssl x509 -subject -in client2.pem >> auth.pem
+.Ed
+.It
+Configure
+.Nm
+to verify client certificates
+against the CA file:
+.Bd -literal -offset indent
+local-ca = auth.pem
+# or: pounce -A auth.pem
+.Ed
+.El
+.
+.Pp
+Alternatively,
+client certificates can be signed
+by a generated certificate authority:
+.
+.Bl -enum
+.It
+Generate a self-signed certificate authority:
 .Bd -literal -offset indent
 pounce -g auth.pem
 .Ed
-- 
cgit 1.4.1