1 <?xml version='1.0' encoding='UTF-8' ?>
2 <!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
3 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
4 <!-- $LastChangedRevision: $ -->
7 Licensed to the Apache Software Foundation (ASF) under one or more
8 contributor license agreements. See the NOTICE file distributed with
9 this work for additional information regarding copyright ownership.
10 The ASF licenses this file to You under the Apache License, Version 2.0
11 (the "License"); you may not use this file except in compliance with
12 the License. You may obtain a copy of the License at
14 http://www.apache.org/licenses/LICENSE-2.0
16 Unless required by applicable law or agreed to in writing, software
17 distributed under the License is distributed on an "AS IS" BASIS,
18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 See the License for the specific language governing permissions and
20 limitations under the License.
23 <manualpage metafile="ctlogconfig.xml.meta">
24 <parentdocument href="./">Programs</parentdocument>
26 <title>ctlogconfig - Certificate Transparency log configuration tool</title>
29 <p><code>ctlogconfig</code> is a tool for maintaining a log configuration
30 database, for use with <module>mod_ssl_ct</module>.</p>
32 <p>Refer first to <a href="../mod/mod_ssl_ct.html#logconf">Log
33 configuration</a> in the <module>mod_ssl_ct</module> documentation.</p>
35 <p>Refer to the <a href="#examples">examples below</a> for typical use.</p>
38 <seealso><module>mod_ssl_ct</module></seealso>
40 <section id="synopsis">
41 <title>Synopsis</title>
43 <strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>dump</strong>
47 <strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>configure-public-key</strong>
48 [ <em>log-id</em>|<em>record-id</em> ]
49 <em>/path/to/public-key.pem</em>
53 <strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>configure-url</strong>
54 [ <em>log-id</em>|<em>record-id</em> ]
59 <strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>valid-time-range</strong>
60 <em>log-id</em>|<em>record-id</em>
61 <em>min-timestamp</em> <em>max-timestamp</em>
65 <strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>trust</strong>
66 <em>log-id</em>|<em>record-id</em>
70 <strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>distrust</strong>
71 <em>log-id</em>|<em>record-id</em>
75 <strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>forget</strong>
76 <em>log-id</em>|<em>record-id</em>
81 <section id="subcommands">
82 <title>Sub-commands</title>
85 <dd>Display configuration database contents. The record id shown in
86 the output of this sub-command can be used to identify the affected
87 record in other sub-commands.</dd>
89 <dt>configure-public-key</dt>
90 <dd>Add a log's public key to the database or set the public key for an
91 existing entry. The log's public key is needed to validate the signature
92 of SCTs received by a proxy from a backend server.</dd>
94 <dt>configure-url</dt>
95 <dd>Add a log's URL to the database or set the URL for an existing entry.
96 The log's URL is used when submitting server certificates to logs in
97 order to obtain SCTs to send to clients.</dd>
99 <dt>valid-time-range</dt>
100 <dd>Set the minimum valid time and/or the maximum valid time for a log.
101 SCTs from the log with timestamps outside of the valid range will not be
102 accepted. Use <code>-</code> for a time that is not being configured.</dd>
105 <dd>Mark a log as trusted, which is the default setting. This sub-command
106 is used to reverse a <em>distrust</em> setting.</dd>
109 <dd>Mark a log as distrusted.</dd>
112 <dd>Remove information about a log from the database.</dd>
116 <section id="examples">
117 <title>Examples</title>
119 <p>Consider an Apache httpd instance which serves as a TLS server and a proxy.
120 The TLS server needs to obtain SCTs from a couple of known logs in order to
121 pass those to clients, and the proxy needs to be able to validate the signature
122 of SCTs received from backend servers.</p>
124 <p>First we'll configure the URLs for logs where server certificates are logged:</p>
127 $ ctlogconfig /path/to/conf/log-config configure-url http://log1.example.com/<br />
128 $ ctlogconfig /path/to/conf/log-config configure-url http://log2.example.com/<br />
129 $ ctlogconfig /path/to/conf/log-config dump<br />
132 Log id : (not configured)<br />
133 Public key file: (not configured)<br />
134 URL : http://log1.example.com/<br />
135 Time range : -INF to +INF<br />
139 Log id : (not configured)<br />
140 Public key file: (not configured)<br />
141 URL : http://log2.example.com/<br />
142 Time range : -INF to +INF<br />
145 <p>Next we'll set the public key of a log where the certificate of our only
146 backend server is published. In this case it is the log with URL
147 http://log2.example.com/ which has already been configured.</p>
150 $ ctlogconfig /path/to/conf/log-config configure-public-key \\#2 /path/to/conf/log2-pub.pem<br />
151 $ ctlogconfig /path/to/conf/log-config dump<br />
154 Log id : (not configured)<br />
155 Public key file: (not configured)<br />
156 URL : http://log1.example.com/<br />
157 Time range : -INF to +INF<br />
161 Log id : (not configured)<br />
162 Public key file: /path/to/conf/log2-pub.pem<br />
163 URL : http://log2.example.com/<br />
164 Time range : -INF to +INF<br />