From cd3128597931b10905c5c90b758bcb7a7bc7e915 Mon Sep 17 00:00:00 2001
From: "C. McEnroe" <june@causal.agency>
Date: Fri, 17 Jan 2020 16:47:24 -0500
Subject: Document process of generating client certificates

---
 pounce.1 | 44 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

diff --git a/pounce.1 b/pounce.1
index 5edbbfa..96ae985 100644
--- a/pounce.1
+++ b/pounce.1
@@ -1,4 +1,4 @@
-.Dd January 12, 2020
+.Dd January 17, 2020
 .Dt POUNCE 1
 .Os
 .
@@ -75,6 +75,8 @@ Require clients to authenticate
 using a TLS client certificate
 signed by the certificate authority loaded from
 .Ar path .
+See
+.Sx Generating Client Certificates .
 If
 .Fl W
 is also set,
@@ -297,7 +299,13 @@ If
 .Fl W
 is used,
 clients must send a server password.
-Clients should not attempt SASL.
+If
+.Fl A
+is used,
+clients must connect with a client certificate
+and may request SASL EXTERNAL.
+If both are used,
+clients may authenticate with either method.
 .
 .Pp
 Clients should register with unique usernames,
@@ -336,6 +344,38 @@ sent to the user's own nickname
 are relayed only to other clients,
 not to the server.
 .
+.Ss Generating Client Certificates
+.Bl -enum
+.It
+Generate a self-signed certificate authority (CA):
+.Bd -literal -offset indent
+pounce -g auth.pem
+.Ed
+.It
+Generate and sign client certificates
+using the CA:
+.Bd -literal -offset indent
+pounce -A auth.pem -g client1.pem
+pounce -A auth.pem -g client2.pem
+.Ed
+.It
+Since only the public key is needed
+for certificate verification,
+extract it from the CA:
+.Bd -literal -offset indent
+openssl x509 -in auth.pem -out auth.crt
+.Ed
+.It
+Configure
+.Nm
+to verify client certificates
+against the CA:
+.Bd -literal -offset indent
+local-ca = auth.crt
+# or: pounce -A auth.crt
+.Ed
+.El
+.
 .Ss Configuring SASL EXTERNAL
 .Bl -enum
 .It
-- 
cgit 1.4.1