From d422dde9ab2ed93ce1a8c43897c5713becc5505a Mon Sep 17 00:00:00 2001 From: lelemka0 <20322043+lelemka0@users.noreply.github.com> Date: Fri, 2 Aug 2024 22:30:35 +0800 Subject: [PATCH] zh/en: add `buildChain` in `CertificateObject` (#547) --- docs/config/transport.md | 9 +++++++++ docs/en/config/transport.md | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/docs/config/transport.md b/docs/config/transport.md index 0f586d879..9e2d54df6 100644 --- a/docs/config/transport.md +++ b/docs/config/transport.md @@ -436,6 +436,7 @@ CipherSuites 用于配置受支持的密码套件列表, 每个套件名称之 "ocspStapling": 3600, "oneTimeLoading": false, "usage": "encipherment", + "buildChain": false, "certificateFile": "/path/to/certificate.crt", "keyFile": "/path/to/key.key", "certificate": [ @@ -533,6 +534,14 @@ OCSP 装订更新,与证书热重载的时间间隔。 单位:秒。默认 如已经拥有一个域名, 可以使用工具便捷的获取免费第三方证书,如[acme.sh](https://github.com/acmesh-official/acme.sh) ::: +> `buildChain`: true | false + +仅当证书用途为 `issue` 时生效,若值为 `true` ,签发证书时将CA证书嵌入证书链。 + +::: tip TIP 1 +不应该将根证书嵌入证书链。该选项只适合在签名CA证书为中间证书时启用。 +::: + > `certificateFile`: string 证书文件路径,如使用 OpenSSL 生成,后缀名为 .crt。 diff --git a/docs/en/config/transport.md b/docs/en/config/transport.md index 10c58f00e..39d783dc4 100644 --- a/docs/en/config/transport.md +++ b/docs/en/config/transport.md @@ -410,6 +410,7 @@ The bootstrapping path and query params of the spider. It's recommended to have "ocspStapling": 3600, "oneTimeLoading": false, "usage": "encipherment", + "buildChain": false, "certificateFile": "/path/to/certificate.crt", "keyFile": "/path/to/key.key", "certificate": [ @@ -507,6 +508,14 @@ Use `xray tls cert` to generate self-signed CA certificate. If you already have a domain name, you can use tools to obtain free third-party certificates easily, such as [acme.sh](https://github.com/acmesh-official/acme.sh). ::: +> `buildChain`: true | false + +Only valid when `usage` is `issue`. When set to `true`, the CA certificate will be appended to leaf certificate as chain during issuing certificates. + +::: tip TIP 1 +Root certificates should not be embedded in the certificate chain. This option is only applicable when the signing CA certificate is an intermediate certificate. +::: + > `certificateFile`: string Path to the certificate file generated by OpenSSL, with the suffix `.crt`.