[rs-commit] r544 - in /rs-manual/trunk/src/site: resources/images/mod_ca_disk-ca_disk_reqauthz.png xhtml5/mod/mod_ca_disk.xhtml5
rs-commit at redwax.eu
rs-commit at redwax.eu
Thu Mar 12 13:31:19 CET 2026
Author: minfrin at redwax.eu
Date: Thu Mar 12 13:31:19 2026
New Revision: 544
Log:
Document Renewal Authorisation from Disk.
Added:
rs-manual/trunk/src/site/resources/images/mod_ca_disk-ca_disk_reqauthz.png (with props)
Modified:
rs-manual/trunk/src/site/xhtml5/mod/mod_ca_disk.xhtml5
Added: rs-manual/trunk/src/site/resources/images/mod_ca_disk-ca_disk_reqauthz.png
==============================================================================
Binary file - no diff available.
Propchange: rs-manual/trunk/src/site/resources/images/mod_ca_disk-ca_disk_reqauthz.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Modified: rs-manual/trunk/src/site/xhtml5/mod/mod_ca_disk.xhtml5
==============================================================================
--- rs-manual/trunk/src/site/xhtml5/mod/mod_ca_disk.xhtml5 (original)
+++ rs-manual/trunk/src/site/xhtml5/mod/mod_ca_disk.xhtml5 Thu Mar 12 13:31:19 2026
@@ -95,6 +95,47 @@
<section>
<header>
<h3>
+ <a href="mod_ca.html#ca_reqauthz">Request Authorization Hook</a>
+ </h3>
+ </header>
+ <div class="content">
+ <p>This optional hook allows you to verify the parameters
+ included with the certificate sign request, such as the
+ previous certificate. If left unconfigured, all certificate
+ requests will be accepted.</p>
+ <p>
+ This module provides the following implementations of this hook.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_ca_disk.html#hook-ca_reqauthz_disk">Disk Request Authorization</a>
+ </td>
+ <td>Verifies renewal authorization against files on disk.</td>
+ </tr>
+ </tbody>
+ </table>
+ <p>
+ This hook is called by the following
+ <a href="mod_ca.html#frontend">frontend modules</a>.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_scep.html">mod_scep</a>
+ </td>
+ <td>Generate and issue certificates using the SCEP protocol.</td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+ </section>
+
+ <section>
+ <header>
+ <h3>
<a href="mod_ca.html#ca_sign">Sign Request Hook</a>
</h3>
</header>
@@ -432,6 +473,30 @@
</div>
</section>
+ <section id="hook-ca_reqauthz_disk">
+ <header>
+ <h3><a href="mod_ca.html#ca_reqauthz">Renewal Authorisation from Disk</a></h3>
+ </header>
+ <div class="content">
+ <p>
+ <img class="image right" src="../images/mod_ca_disk-ca_disk_reqauthz.png" />
+ Checks whether a renewal request signed by a previous certificate can be found
+ among our existing certificates, and that the existing certificate is still
+ valid and not revoked.</p>
+
+ <p>The <a href="#directive-CADiskIndexFile">CADiskIndexFile</a> directive
+ is searched to confirm certificate validity, and if valid the
+ <a href="#directive-CADiskCertificateBySerialPath">CADiskCertificateBySerialPath</a>
+ is searched for an exact match. Both of these directives must be present for this
+ hook to take effect.</p>
+
+ <p>If the <a href="#directive-CADiskIndexUnique">CADiskIndexUnique</a> directive is
+ enabled all renewal attempts are rejected, as renewal requires that the previous
+ certificate and current certificate are valid at the same time.</p>
+
+ </div>
+ </section>
+
<section id="hook-ca_certstore_disk">
<header>
<h3><a href="mod_ca.html#ca_certstore">Certificate Storage Save To Disk</a></h3>
More information about the rs-commit
mailing list