-<?xml version='1.0'?> <!--*-nxml-*-->
+<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
-This file is part of systemd.
+ This file is part of systemd.
-Copyright 2014 Zbigniew Jędrzejewski-Szmek
+ Copyright 2014 Zbigniew Jędrzejewski-Szmek
-systemd is free software; you can redistribute it and/or modify it
-under the terms of the GNU Lesser General Public License as published by
-the Free Software Foundation; either version 2.1 of the License, or
-(at your option) any later version.
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
-systemd is distributed in the hope that it will be useful, but
-WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-Lesser General Public License for more details.
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
-You should have received a copy of the GNU Lesser General Public License
-along with systemd; If not, see <http://www.gnu.org/licenses/>.
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<refentry id="systemd-journal-upload" conditional='HAVE_MICROHTTPD'
failure code is returned.</para>
</refsect1>
+ <refsect1>
+ <title>Examples</title>
+ <example>
+ <title>Setting up certificates for authentication</title>
+
+ <para>Certificates signed by a trusted authority are used to
+ verify that the server to which messages are uploaded is
+ legitimate, and vice versa, that the client is trusted.</para>
+
+ <para>A suitable set of certificates can be generated with
+ <command>openssl</command>:</para>
+
+ <programlisting>openssl req -newkey rsa:2048 -days 3650 -x509 -nodes \
+ -out ca.pem -keyout ca.key -subj '/CN=Certificate authority/'
+
+cat >ca.conf <<EOF
+[ ca ]
+default_ca = this
+
+[ this ]
+new_certs_dir = .
+certificate = ca.pem
+database = ./index
+private_key = ca.key
+serial = ./serial
+default_days = 3650
+default_md = default
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+EOF
+
+touch index
+echo 0001 > serial
+
+SERVER=server
+CLIENT=client
+
+openssl req -newkey rsa:1024 -nodes -out $SERVER.csr -keyout $SERVER.key -subj "/CN=$SERVER/"
+openssl ca -batch -config ca.conf -notext -in $SERVER.csr -out $SERVER.pem
+
+openssl req -newkey rsa:1024 -nodes -out $CLIENT.csr -keyout $CLIENT.key -subj "/CN=$CLIENT/"
+openssl ca -batch -config ca.conf -notext -in $CLIENT.csr -out $CLIENT.pem
+</programlisting>
+
+ <para>Generated files <filename>ca.pem</filename>,
+ <filename>server.pem</filename>, and
+ <filename>server.key</filename> should be installed on server,
+ and <filename>ca.pem</filename>,
+ <filename>client.pem</filename>, and
+ <filename>client.key</filename> on the client. The location of
+ those files can be specified using
+ <varname>TrustedCertificateFile=</varname>,
+ <varname>ServerCertificateFile=</varname>,
+ <varname>ServerKeyFile=</varname>, in
+ <filename>/etc/systemd/journal-remote.conf</filename> and
+ <filename>/etc/systemd/journal-upload.conf</filename>
+ respectively. The default locations can be queried by using
+ <command>systemd-journal-remote --help</command> and
+ <command>systemd-journal-upload --help</command>.</para>
+ </example>
+ </refsect1>
+
<refsect1>
<title>See Also</title>
<para>
~ianmdlvl / elogind.git / blobdiff