Changes in b1b0efb: Move subsections under “DN42 Self-Serve CA” setion

				services/Automatic-CA.md
			
          @@ -1,7 +1,7 @@

           DN42 ACME CA

           ==================

          -Certificates can be automatically generated with the [ACME-CA](http://acme.dn42). More information can be found on [acme.dn42](http://acme.dn42/)

          +Certificates can be automatically generated with the [ACME-CA](http://acme.dn42) using [acme.sh](https://github.com/acmesh-official/acme.sh) or [lego](https://github.com/go-acme/lego). More information can be found on [acme.dn42](http://acme.dn42/)

           DN42 Self-Serve CA

           ==================

          @@ -9,8 +9,7 @@ DN42 Self-Serve CA

           This client is used for automating the process of requesting TLS certificates. (Available via: [dn42](https://ca.dn42/ca-client), [iana](https://ca.dn42.us/ca-client), [git](anon@git.dn42:dn42/ca-client)) 

          -VALIDATION PROCESS

          -==================

          +## VALIDATION PROCESS

           The process validates ownership by verifying control of both a users MNT object in the registry and the authoritative DNS server. 

           The following steps take place in creating a signed certificate.

          @@ -52,8 +51,7 @@ Server certificates are signed for 45 days. To renew follow the steps above star

           3. CA checks that owner in certificate matches.

           4. CA revokes certificate and updates revocation list.

          -INSTALL

          -=======

          +## INSTALL

           get the script here: 

          @@ -62,10 +60,9 @@ curl https://ca.dn42/ca.dn42 > ca.dn42; chmod +x ca.dn42

           available via git: anon@git.dn42:dn42/ca-client

          -KNOWN ISSUES

          -============

          +## KNOWN ISSUES

          -## openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation"

          +### openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation"

           The way openssl validated name constraints prevented it from accepting dns names that started with a dot.

           Because the name constraint is "DNS:.dn42" it fails to validate.

          @@ -76,7 +73,7 @@ Because the name constraint is "DNS:.dn42" it fails to validate.

           [libssl-1]: https://groups.google.com/forum/#!topic/mailing.openssl.dev/drG3U-S4iaE

          -## X.509 nameConstraints on certificates not supported on OS X

          +### X.509 nameConstraints on certificates not supported on OS X

           Browsers and clients that rely on Apple's [Secure Transport][osx-1] library does not support X.509's nameConstraints.

          @@ -87,8 +84,7 @@ Read more on this [stack exchange post][osx-2]

           [osx-2]: http://security.stackexchange.com/a/97133

          -How to Run

          -==========

          +## How to Run

           ```

           Usage:  # OWNER is your MNT handle.

          @@ -106,8 +102,7 @@ Environtment Options:

              DN42CA_PKCS12 = 1                # Generate pkcs12 file for certificate.

           ```

          -Example

          -=======

          +## Example

           Generate the user key

          @@ -124,7 +119,7 @@ writing new private key to 'XUU-MNT.key'

           |MNT Key Pin| remarks: pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=

           ```

          -## Sign the user key

          +### Sign the user key

           ```

           $ ./ca.dn42 user-sign XUU-MNT xuu@sour.is

          @@ -141,7 +136,7 @@ Enter Export Password:

           Verifying - Enter Export Password:

           ```

          -## Generate the server key

          +### Generate the server key

           ```

           $ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42

          @@ -165,7 +160,7 @@ $ dig +short TXT _dn42_tlsverify.ca.dn42.

           "XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ="

           ```

          -## Sign the server key

          +### Sign the server key

           ```

           $ ./ca.dn42 tls-sign ca.dn42 XUU-MNT

          @@ -222,7 +217,7 @@ ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT

           ExecStart=/usr/bin/nginx -s reload

           ```

          -## Revoke a certificate.

          +### Revoke a certificate.

           ```

           $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt 

          @@ -238,5 +233,5 @@ $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt

           OK

           ```

          -## Certificate transparency

          +### Certificate transparency

           All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).

...	...	@@ -1,7 +1,7 @@
1	1	DN42 ACME CA
2	2	==================
3	3
4		-Certificates can be automatically generated with the [ACME-CA](http://acme.dn42). More information can be found on [acme.dn42](http://acme.dn42/)
	4	+Certificates can be automatically generated with the [ACME-CA](http://acme.dn42) using [acme.sh](https://github.com/acmesh-official/acme.sh) or [lego](https://github.com/go-acme/lego). More information can be found on [acme.dn42](http://acme.dn42/)
5	5
6	6	DN42 Self-Serve CA
7	7	==================
...	...	@@ -9,8 +9,7 @@ DN42 Self-Serve CA
9	9	This client is used for automating the process of requesting TLS certificates. (Available via: [dn42](https://ca.dn42/ca-client), [iana](https://ca.dn42.us/ca-client), [git](anon@git.dn42:dn42/ca-client))
10	10
11	11
12		-VALIDATION PROCESS
13		-==================
	12	+## VALIDATION PROCESS
14	13
15	14	The process validates ownership by verifying control of both a users MNT object in the registry and the authoritative DNS server.
16	15	The following steps take place in creating a signed certificate.
...	...	@@ -52,8 +51,7 @@ Server certificates are signed for 45 days. To renew follow the steps above star
52	51	3. CA checks that owner in certificate matches.
53	52	4. CA revokes certificate and updates revocation list.
54	53
55		-INSTALL
56		-=======
	54	+## INSTALL
57	55
58	56	get the script here:
59	57
...	...	@@ -62,10 +60,9 @@ curl https://ca.dn42/ca.dn42 > ca.dn42; chmod +x ca.dn42
62	60	available via git: anon@git.dn42:dn42/ca-client
63	61
64	62
65		-KNOWN ISSUES
66		-============
	63	+## KNOWN ISSUES
67	64
68		-## openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation"
	65	+### openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation"
69	66
70	67	The way openssl validated name constraints prevented it from accepting dns names that started with a dot.
71	68	Because the name constraint is "DNS:.dn42" it fails to validate.
...	...	@@ -76,7 +73,7 @@ Because the name constraint is "DNS:.dn42" it fails to validate.
76	73	[libssl-1]: https://groups.google.com/forum/#!topic/mailing.openssl.dev/drG3U-S4iaE
77	74
78	75
79		-## X.509 nameConstraints on certificates not supported on OS X
	76	+### X.509 nameConstraints on certificates not supported on OS X
80	77
81	78	Browsers and clients that rely on Apple's [Secure Transport][osx-1] library does not support X.509's nameConstraints.
82	79
...	...	@@ -87,8 +84,7 @@ Read more on this [stack exchange post][osx-2]
87	84	[osx-2]: http://security.stackexchange.com/a/97133
88	85
89	86
90		-How to Run
91		-==========
	87	+## How to Run
92	88
93	89	```
94	90	Usage: # OWNER is your MNT handle.
...	...	@@ -106,8 +102,7 @@ Environtment Options:
106	102	DN42CA_PKCS12 = 1 # Generate pkcs12 file for certificate.
107	103	```
108	104
109		-Example
110		-=======
	105	+## Example
111	106
112	107	Generate the user key
113	108
...	...	@@ -124,7 +119,7 @@ writing new private key to 'XUU-MNT.key'
124	119	\|MNT Key Pin\| remarks: pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=
125	120	```
126	121
127		-## Sign the user key
	122	+### Sign the user key
128	123
129	124	```
130	125	$ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
...	...	@@ -141,7 +136,7 @@ Enter Export Password:
141	136	Verifying - Enter Export Password:
142	137	```
143	138
144		-## Generate the server key
	139	+### Generate the server key
145	140
146	141	```
147	142	$ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42
...	...	@@ -165,7 +160,7 @@ $ dig +short TXT _dn42_tlsverify.ca.dn42.
165	160	"XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ="
166	161	```
167	162
168		-## Sign the server key
	163	+### Sign the server key
169	164
170	165	```
171	166	$ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
...	...	@@ -222,7 +217,7 @@ ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
222	217	ExecStart=/usr/bin/nginx -s reload
223	218	```
224	219
225		-## Revoke a certificate.
	220	+### Revoke a certificate.
226	221
227	222	```
228	223	$ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
...	...	@@ -238,5 +233,5 @@ $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
238	233	OK
239	234	```
240	235
241		-## Certificate transparency
	236	+### Certificate transparency
242	237	All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).