X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd-journal-upload.xml;h=b4422f2a17ab328abc015bf1662a77d6af1deccc;hp=ca251c6cdd36dc64954cf68603eb18f3a7a2bdc9;hb=9700d6980f7c212b10a69399e6430b82a6f45587;hpb=330427e271c37400f091bf4570b5d8fa96574d36
diff --git a/man/systemd-journal-upload.xml b/man/systemd-journal-upload.xml
index ca251c6cd..b4422f2a1 100644
--- a/man/systemd-journal-upload.xml
+++ b/man/systemd-journal-upload.xml
@@ -181,6 +181,76 @@ along with systemd; If not, see .
failure code is returned.
+
+ Examples
+
+ Setting up certificates for authentication
+
+ Certificates signed by a trusted authority are used to
+ verify that the server to which messages are uploaded is
+ legitimate, and vice versa, that the client is trusted.
+
+ A suitable set of certificates can be generated with
+ openssl:
+
+ openssl req -newkey rsa:2048 -days 3650 -x509 -nodes \
+ -out ca.pem -keyout ca.key -subj '/CN=Certificate authority/'
+
+cat >ca.conf <<EOF
+[ ca ]
+default_ca = this
+
+[ this ]
+new_certs_dir = .
+certificate = ca.pem
+database = ./index
+private_key = ca.key
+serial = ./serial
+default_days = 3650
+default_md = default
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+EOF
+
+touch index
+echo 0001 > serial
+
+SERVER=server
+CLIENT=client
+
+openssl req -newkey rsa:1024 -nodes -out $SERVER.csr -keyout $SERVER.key -subj "/CN=$SERVER/"
+openssl ca -batch -config ca.conf -notext -in $SERVER.csr -out $SERVER.pem
+
+openssl req -newkey rsa:1024 -nodes -out $CLIENT.csr -keyout $CLIENT.key -subj "/CN=$CLIENT/"
+openssl ca -batch -config ca.conf -notext -in $CLIENT.csr -out $CLIENT.pem
+
+
+ Generated files ca.pem,
+ server.pem, and
+ server.key should be installed on server,
+ and ca.pem,
+ client.pem, and
+ client.key on the client. The location of
+ those files can be specified using
+ TrustedCertificateFile=,
+ ServerCertificateFile=,
+ ServerKeyFile=, in
+ /etc/systemd/journal-remote.conf and
+ /etc/systemd/journal-upload.conf
+ respectively. The default locations can be queried by using
+ systemd-journal-remote --help and
+ systemd-journal-upload --help.
+
+
+
See Also