From 692be000a8b467fd50bb38727e92d07db249d481 Mon Sep 17 00:00:00 2001 From: "Christopher R. Wood" Date: Thu, 30 May 2024 15:44:21 -0400 Subject: [PATCH] Document converting key to DER-encoded urlsafe b64 --- docs/frontends/webapi.rst | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/frontends/webapi.rst b/docs/frontends/webapi.rst index b581d7aeb..baffa412d 100644 --- a/docs/frontends/webapi.rst +++ b/docs/frontends/webapi.rst @@ -449,7 +449,12 @@ Creating a New Directory In addition, an optional "private-key=" argument is supported which, if given, specifies the underlying signing key to be used when creating the directory. This value must be a DER-encoded 2048-bit RSA private key in urlsafe base64 - encoding. Because this key can be used to derive the write capability for the + encoding. (To convert an existing PEM-encoded RSA key file into the format + required, the following commands may be used -- assuming a modern UNIX-like + environment with common tools already installed: + ``openssl rsa -in key.pem -outform der | base64 -w 0 -i - | tr '+/' '-_'``) + + Because this key can be used to derive the write capability for the associated directory, additional care should be taken to ensure that the key is unique, that it is kept confidential, and that it was derived from an appropriate (high-entropy) source of randomness. If this argument is omitted