[FAB-4841] Doc no support for encrypted keys

This change set updates the fabric CA doc to state that encrypted keys are not supported. It also removes a section about making TLS over localhost work because it is not needed (nor recommended). Change-Id: Iaa5d1b97aaaeb4ef3f57554ff005540d631350e9 Signed-off-by: Keith Smith <[email protected]>
hyperledger · Jun 22, 2017 · 5200f07 · 5200f07
1 parent ba9c7a8
commit 5200f07
Showing 1 changed file with 15 additions and 10 deletions.
diff --git a/docs/source/users-guide.rst b/docs/source/users-guide.rst
@@ -775,32 +775,30 @@ Fabric CA server; this identity is the server administrator.
 The server configuration file contains a Certificate Signing Request (CSR)
 section that can be configured. The following is a sample CSR.
 
-If you are going to connect to the Fabric CA server remotely over TLS,
-replace "localhost" in the CSR section below with the hostname where you
-will be running your Fabric CA server.
-
 .. _csr-fields:
 
 .. code:: yaml
 
-    cn: localhost
-    key:
-        algo: ecdsa
-        size: 256
-    names:
+   cn: fabric-ca-server
+   names:
       - C: US
         ST: "North Carolina"
         L:
         O: Hyperledger
         OU: Fabric
+   hosts:
+     - host1.example.com
+     - localhost
+   ca:
+      expiry: 131400h
+      pathlength: 1
 
 All of the fields above pertain to the X.509 signing key and certificate which
 is generated by the ``fabric-ca-server init``.  This corresponds to the
 ``ca.certfile`` and ``ca.keyfile`` files in the server's configuration file.
 The fields are as follows:
 
   -  **cn** is the Common Name
-  -  **key** specifies the algorithm and key size as described below
   -  **O** is the organization name
   -  **OU** is the organizational unit
   -  **L** is the location or city
@@ -823,6 +821,13 @@ attribute whose value equals 'true'.
 The ``fabric-ca-server init`` command also generates a default configuration
 file named **fabric-ca-server-config.yaml** in the server's home directory.
 
+If you want the Fabric CA server to use a CA signing certificate and key file which you provide,
+you must place your files in the location referenced by ``ca.certfile`` and ``ca.keyfile`` respectively.
+Both files must be PEM-encoded and must not be encrypted.
+More specifically, the contents of the CA certificate file must begin with ``-----BEGIN CERTIFICATE-----``
+and the contents of the key file must begin with ``-----BEGIN PRIVATE KEY-----`` and not
+``-----BEGIN ENCRYPTED PRIVATE KEY-----``.
+
 Algorithms and key sizes
 
 The CSR can be customized to generate X.509 certificates and keys that