<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE manualpage SYSTEM "/style/manualpage.dtd">
<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
<!-- $LastChangedRevision$ -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<manualpage metafile="ctlogconfig.xml.meta">
<parentdocument href="./">Programs</parentdocument>
<title>ctlogconfig - Certificate Transparency log configuration tool</title>
<summary>
<p><code>ctlogconfig</code> is a tool for creating and maintaining a log
configuration database, for use with <module>mod_ssl_ct</module>.</p>
<p>Refer first to <a href="/mod/mod_ssl_ct.html#logconf">Log
configuration</a> in the <module>mod_ssl_ct</module> documentation.</p>
<p>Refer to the <a href="#examples">examples below</a> for typical use.</p>
</summary>
<seealso><module>mod_ssl_ct</module></seealso>
<section id="synopsis">
<title>Synopsis</title>
<p><code>
<strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>dump</strong>
</code></p>
<p><code>
<strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>configure-public-key</strong>
[ <em>log-id</em>|<em>record-id</em> ]
<em>/path/to/public-key.pem</em>
</code></p>
<p><code>
<strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>configure-url</strong>
[ <em>log-id</em>|<em>record-id</em> ]
<em>log-URL</em>
</code></p>
<p><code>
<strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>valid-time-range</strong>
<em>log-id</em>|<em>record-id</em>
<em>min-timestamp</em> <em>max-timestamp</em>
</code></p>
<p><code>
<strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>trust</strong>
<em>log-id</em>|<em>record-id</em>
</code></p>
<p><code>
<strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>distrust</strong>
<em>log-id</em>|<em>record-id</em>
</code></p>
<p><code>
<strong>ctlogconfig</strong> <em>/path/to/db</em> <strong>forget</strong>
<em>log-id</em>|<em>record-id</em>
</code></p>
<dl>
<dt><em>log-id</em></dt>
<dd>This is the id of the log, which is the SHA-256 hash of the log's public key,
provided in hexadecimal format. This string is 64 characters in length.</dd>
<dt><em>record-id</em></dt>
<dd>This is the record number in the database, as displayed by the <strong>dump</strong>
sub-command, prefixed with <strong>#</strong>. As an example, <strong>#4</strong>
references the fourth record in the database. (Use shell escaping as necessary.)</dd>
<dt><em>/path/to/public-key.pem</em></dt>
<dd>This is a file containing the log's public key in PEM format. The public
key is not stored in the database. Instead, a reference to the file is stored.
Thus, the file cannot be removed until the public key in the database is removed
or changed.</dd>
<dt><em>min-timestamp</em>, <em>max-timestamp</em></dt>
<dd>A timestamp is a time as expressed in the number of milliseconds since the
epoch, ignoring leap seconds. This is the form of time used in Signed Certificate
Timestamps. This must be provided as a decimal number.
<br />
Specify <strong><code>-</code></strong> for one of the timestamps if it is unknown.
For example, when configuring the minimum valid timestamp for a log which remains
valid, specify <strong><code>-</code></strong> for <em>max-timestamp</em>.
<br />
SCTs received from this log by the proxy are invalid if the timestamp
is older than <em>min-timestamp</em> or newer than <em>max-timestamp</em>.</dd>
</dl>
</section>
<section id="subcommands">
<title>Sub-commands</title>
<dl>
<dt>dump</dt>
<dd>Display configuration database contents. The record id shown in
the output of this sub-command can be used to identify the affected
record in other sub-commands.</dd>
<dt>configure-public-key</dt>
<dd>Add a log's public key to the database or set the public key for an
existing entry. The log's public key is needed to validate the signature
of SCTs received by a proxy from a backend server. (The database will
be created if it does not yet exist.)</dd>
<dt>configure-url</dt>
<dd>Add a log's URL to the database or set the URL for an existing entry.
The log's URL is used when submitting server certificates to logs in
order to obtain SCTs to send to clients. (The database will
be created if it does not yet exist.)</dd>
<dt>valid-time-range</dt>
<dd>Set the minimum valid time and/or the maximum valid time for a log.
SCTs from the log with timestamps outside of the valid range will not be
accepted. Use <code>-</code> for a time that is not being configured.
(The database will be created if it does not yet exist.)</dd>
<dt>trust</dt>
<dd>Mark a log as trusted, which is the default setting. This sub-command
is used to reverse a <em>distrust</em> setting. (The database will
be created if it does not yet exist.)</dd>
<dt>distrust</dt>
<dd>Mark a log as distrusted. (The database will be created if it does
not yet exist.)</dd>
<dt>forget</dt>
<dd>Remove information about a log from the database.</dd>
</dl>
</section>
<section id="examples">
<title>Examples</title>
<p>Consider an Apache httpd instance which serves as a TLS server and a proxy.
The TLS server needs to obtain SCTs from a couple of known logs in order to
pass those to clients, and the proxy needs to be able to validate the signature
of SCTs received from backend servers.</p>
<p>First we'll configure the URLs for logs where server certificates are logged:</p>
<example>
$ ctlogconfig /path/to/conf/log-config configure-url http://log1.example.com/<br />
$ ctlogconfig /path/to/conf/log-config configure-url http://log2.example.com/<br />
$ ctlogconfig /path/to/conf/log-config dump<br />
Log entry:<br />
Record 1<br />
Log id : (not configured)<br />
Public key file: (not configured)<br />
URL : http://log1.example.com/<br />
Time range : -INF to +INF<br />
<br />
Log entry:<br />
Record 2<br />
Log id : (not configured)<br />
Public key file: (not configured)<br />
URL : http://log2.example.com/<br />
Time range : -INF to +INF<br />
</example>
<p>Next we'll set the public key of a log where the certificate of our only
backend server is published. In this case it is the log with URL
http://log2.example.com/ which has already been configured.</p>
<example>
$ ctlogconfig /path/to/conf/log-config configure-public-key \#2 /path/to/conf/log2-pub.pem<br />
$ ctlogconfig /path/to/conf/log-config dump<br />
Log entry:<br />
Record 1<br />
Log id : (not configured)<br />
Public key file: (not configured)<br />
URL : http://log1.example.com/<br />
Time range : -INF to +INF<br />
<br />
Log entry:<br />
Record 2<br />
Log id : (not configured)<br />
Public key file: /path/to/conf/log2-pub.pem<br />
URL : http://log2.example.com/<br />
Time range : -INF to +INF<br />
</example>
</section>
</manualpage>