diff options
author | Arne Schwabe <arne@rfc2549.org> | 2012-10-01 11:05:18 +0200 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2012-10-15 18:14:43 +0200 |
commit | 75b6f4bd84302d225a301f4ed87e2bb27908b972 (patch) | |
tree | 75018b43469a80717c82af517fb595cdd78898c3 | |
parent | 6abd293e5c04467a17e6ed4cf01c708cef0ac046 (diff) | |
download | openvpn-75b6f4bd84302d225a301f4ed87e2bb27908b972.tar.gz openvpn-75b6f4bd84302d225a301f4ed87e2bb27908b972.tar.xz openvpn-75b6f4bd84302d225a301f4ed87e2bb27908b972.zip |
Document man agent-external-key
Adapt commit message from cf69617bbea45a15423c4188daa9386debcbe1ec for man
page and management documentation.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1349082318-985-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7081
Signed-off-by: David Sommerseth <davids@redhat.com>
-rw-r--r-- | doc/management-notes.txt | 28 | ||||
-rw-r--r-- | doc/openvpn.8 | 5 |
2 files changed, 33 insertions, 0 deletions
diff --git a/doc/management-notes.txt b/doc/management-notes.txt index a07a514..79e71ad 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -750,6 +750,34 @@ To accept connecting to the host and port directly, use this command: proxy NONE +COMMAND -- rsa-sig (OpenVPN 2.3 or higher) +------------------------------------------ +Provides support for external storage of the private key. Requires the +--management-external-key option. This option can be used instead of "key" +in client mode, and allows the client to run without the need to load the +actual private key. When the SSL protocol needs to perform an RSA sign +operation, the data to be signed will be sent to the management interface +via a notification as follows: + +>RSA_SIGN:[BASE64_DATA] + +The management interface client should then sign BASE64_DATA +using the private key and return the SSL signature as follows: + +rsa-sig +[BASE64_SIG_LINE] +. +. +. +END + +Base64 encoded output of RSA_sign(NID_md5_sha1,... will provide a +correct signature. + +This capability is intended to allow the use of arbitrarycryptographic +service providers with OpenVPN via the management interface. + + OUTPUT FORMAT ------------- diff --git a/doc/openvpn.8 b/doc/openvpn.8 index da1c0f9..aa653ec 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2464,6 +2464,11 @@ Allow management interface to override .B \-\-remote directives (client-only). .\"********************************************************* +.B \-\-management-external-key +Allows usage for external private key file instead of +.B \-\-key +option (client-only). +.\"********************************************************* .TP .B \-\-management-forget-disconnect Make OpenVPN forget passwords when management session |