From 7966d75a9d41453a56e41eaae7b0fd64f75f7ec3 Mon Sep 17 00:00:00 2001
From: James Yonan <james@openvpn.net>
Date: Mon, 25 Apr 2011 04:58:34 +0000
Subject: Added new "extra-certs" and "verify-hash" options (see man page for
 details).

Increase the timeout after SIGUSR1 restart when restart is not
due to server_poll_timeout.

Version 2.1.3v


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7215 e7ae566f-a301-0410-adde-c780ea21d3b5
---
 openvpn.8 | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

(limited to 'openvpn.8')

diff --git a/openvpn.8 b/openvpn.8
index 1953b16..85889de 100644
--- a/openvpn.8
+++ b/openvpn.8
@@ -3887,6 +3887,22 @@ that for certificate authority functions, you must set up the files
 ).
 .\"*********************************************************
 .TP
+.B --extra-certs file
+Specify a
+.B file
+containing one or more PEM certs (concatenated together)
+that complete the
+local certificate chain.
+
+This option is useful for "split" CAs, where the CA for server
+certs is different than the CA for client certs.  Putting certs
+in this file allows them to be used to complete the local
+certificate chain without trusting them to verify the peer-submitted
+certificate, as would be the case if the certs were placed in the
+.B ca
+file.
+.\"*********************************************************
+.TP
 .B --key file
 Local peer's private key in .pem format.  Use the private key which was generated
 when you built your peer's certificate (see
@@ -3903,6 +3919,17 @@ and
 .B --key.
 .\"*********************************************************
 .TP
+.B --verify-hash hash
+Specify SHA1 fingerprint for level-1 cert.  The level-1 cert is the
+CA (or intermediate cert) that signs the leaf certificate, and is
+one removed from the leaf certificate in the direction of the root.
+When accepting a connection from a peer, the level-1 cert
+fingerprint must match
+.B hash
+or certificate verification will fail.  Hash is specified
+as XX:XX:...  For example: AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16
+.\"*********************************************************
+.TP
 .B --pkcs11-cert-private [0|1]...
 Set if access to certificate object should be performed after login.
 Every provider has its own setting.
-- 
cgit