src/danetool-args.def

   1 AutoGen Definitions options;
   2 prog-name     = danetool;
   3 prog-title    = "GnuTLS DANE tool";
   4 prog-desc     = "Generate DANE TLSA RR entries.";
   5 detail    = "Tool to generate DNS resource records for the DANE protocol.";
   6 short-usage   = "danetool [options]\ndanetool --help for usage instructions.\n";
   7 explain       = "";
   8
   9 #define  INFILE_OPT    0
  10 #define  OUTFILE_OPT   1
  11 #define  VERBOSE_OPT 1
  12 #include args-std.def
  13
  14 flag = {
  15     name      = load-pubkey;
  16     descrip   = "Loads a public key file";
  17     arg-type  = string;
  18     doc = "This can be either a file or a PKCS #11 URL";
  19 };
  20
  21 flag = {
  22     name      = load-certificate;
  23     descrip   = "Loads a certificate file";
  24     arg-type  = string;
  25     doc = "This can be either a file or a PKCS #11 URL";
  26 };
  27
  28 flag = {
  29     name      = hash;
  30     arg-type  = string;
  31     descrip   = "Hash algorithm to use for signing.";
  32     doc = "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.";
  33 };
  34
  35 flag = {
  36     name      = check;
  37     arg-type  = string;
  38     descrip   = "Check a host's DANE TLSA entry.";
  39     doc = "Obtains the DANE TLSA entry from the given hostname and prints information.";
  40 };
  41
  42 flag = {
  43     name      = local-dns;
  44     descrip   = "Use the local DNS server for DNSSEC resolving.";
  45     disabled;
  46     disable   = "no";
  47     doc       = "This option will use the local DNS server for DNSSEC.
  48 This is disabled by default due to many servers not allowing DNSSEC.";
  49 };
  50
  51 flag = {
  52     name      = inder;
  53     descrip   = "Use DER format for input certificates and private keys.";
  54     disabled;
  55     disable   = "no";
  56     doc       = "The input files will be assumed to be in DER or RAW format.
  57 Unlike options that in PEM input would allow multiple input data (e.g. multiple
  58 certificates), when reading in DER format a single data structure is read.";
  59 };
  60
  61 flag = {
  62     name      = inraw;
  63     aliases   = inder;
  64 };
  65
  66 flag = {
  67     name      = tlsa-rr;
  68     descrip   = "Print the DANE RR data on a certificate or public key";
  69     flags_must = host;
  70     doc = "This command prints the DANE RR data needed to enable DANE on a DNS server.";
  71 };
  72
  73 flag = {
  74     name      = host;
  75     descrip   = "Specify the hostname to be used in the DANE RR";
  76     arg-type  = string;
  77     arg-name  = "Hostname";
  78     doc = "This command sets the hostname for the DANE RR.";
  79 };
  80
  81 flag = {
  82     name      = proto;
  83     descrip   = "The protocol set for DANE data (tcp, udp etc.)";
  84     arg-type  = string;
  85     arg-name  = "Protocol";
  86     doc = "This command specifies the protocol for the service set in the DANE data.";
  87 };
  88
  89 flag = {
  90     name      = port;
  91     arg-type  = number;
  92     descrip   = "Specify the port number for the DANE data.";
  93     default-value = 443;
  94     doc      = "";
  95 };
  96
  97 flag = {
  98     name      = ca;
  99     descrip   = "Whether the provided certificate or public key is a Certificate Authority.";
 100     doc      = "Marks the DANE RR as a CA certificate if specified.";
 101 };
 102
 103 flag = {
 104     name      = x509;
 105     descrip   = "Use the hash of the X.509 certificate, rather than the public key.";
 106     doc      = "This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used.";
 107 };
 108
 109 flag = {
 110     name      = local;
 111     descrip   = "The provided certificate or public key is a local entity.";
 112     doc      = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity.";
 113 };
 114
 115 doc-section = {
 116   ds-type = 'SEE ALSO';
 117   ds-format = 'texi';
 118   ds-text   = <<-_EOT_
 119     certtool (1)
 120 _EOT_;
 121 };
 122
 123 doc-section = {
 124   ds-type = 'EXAMPLES';
 125   ds-format = 'texi';
 126   ds-text   = <<-_EOT_
 127 @subheading DANE TLSA RR generation
 128
 129 To create a DANE TLSA resource record for a CA signed certificate use the following commands.
 130
 131 @example
 132 $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem
 133 @end example
 134
 135 For a self signed certificate use:
 136 @example
 137 $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
 138   --local
 139 @end example
 140
 141 The latter is useful to add in your DNS entry even if your certificate is signed
 142 by a CA. That way even users who do not trust your CA will be able to verify your
 143 certificate using DANE.
 144
 145 In order to create a record for the signer of your certificate use:
 146 @example
 147 $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
 148   --ca
 149 @end example
 150
 151 To read a server's DANE TLSA entry, use:
 152 @example
 153 $ danetool --check www.example.com --proto tcp --port 443
 154 @end example
 155
 156 To verify a server's DANE TLSA entry, use:
 157 @example
 158 $ danetool --check www.example.com --proto tcp --port 443 --load-certificate chain.pem
 159 @end example
 160 _EOT_;
 161 };
 162
 163