From 196e123415fb4e3d8db11f8356a51faafc9dfdbb Mon Sep 17 00:00:00 2001
From: Bernhard Reiter <bernhard@intevation.de>
Date: Wed, 16 Feb 2022 09:55:16 +0100
Subject: [PATCH] Improve docs/development-ca.md

 * Add some considerations and references. So readers can follow some
   of the engineering thoughts.
---
 docs/development-ca.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/docs/development-ca.md b/docs/development-ca.md
index cc124d9..51f0e26 100644
--- a/docs/development-ca.md
+++ b/docs/development-ca.md
@@ -65,3 +65,24 @@ echo Full path config options for nginx:
 echo "    ssl_certificate \"$PWD/bundle.crt\";"
 echo "    ssl_certificate_key \"$PWD/testserver-key.pem\";"
 ```
+
+
+## Considerations and References
+
+ * The command line and template options are explained in the
+   GnuTLS documentation at the end of _certtool Invocation_, see the
+   [https://gnutls.org/manual/html_node/certtool-Invocation.html](section of the current stable documentation), but be aware that it maybe newer than
+   the version you have installed.
+ * Using GnuTLS instead of OpenSSL, because GnuTLS is an implementation
+   with a long, good track record. Configuration is also slightly slimmer.
+   (Overall it is positive for the security of Open Standards
+   like TLS and CMS, that there are several competing compatible
+   implementations. Selecting a different implementation here and there helps
+   the ecosystem by fostering that competition.)
+ * Using the GnuTLS default algorithm (RSA 3072 at time for writing) is
+   good enough, as the goal is not to test ECC compatibility for client
+   certificates for servers, browser and tools.
+ * An example script for server certs:
+   https://gist.github.com/epcim/832cec2482a255e3f392
+ * An example for client certs as part of the libvirt setup instructions:
+   https://wiki.libvirt.org/page/TLSCreateClientCerts