1 files changed, 39 insertions, 0 deletions

diff --git a/system/services/taskserver/certs/README.md b/system/services/taskserver/certs/README.md
new file mode 100644
index 0000000..846379c
--- /dev/null
+++ b/system/services/taskserver/certs/README.md
@@ -0,0 +1,39 @@
+> This is taken from: https://github.com/GothenburgBitFactory/taskserver/blob/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki/README
+
+PKI is a complex subject. These scripts and this description are not intended
+to be a complete and accurate example of PKI.
+
+Ideally you would purchase a server cert signed by a known CA, such as one of
+the following:
+
+- Symantec
+- Comodo
+- GoDaddy
+- GlobalSign
+- (Let's Encrypt)
+
+That cert would need the 'encryption_key' and 'signing_key' attributes.
+Using that server cert, you would then issue a server CRL and client keys.
+
+If you are developing, testing, or running your own private server, you may
+choose instead to generate the above yourself.  In this case you would generate
+a CA key and cert, then use that to generate a server key, cert, and CRL.  Then
+you would use the server key and cert to create a client key and cert.  But as
+there is no trusted CA in this example, just yourself, the resultant client key
+and cert will not be trusted by anyone, for good reasons.
+
+Note, you can inspect any cert with the command:
+
+    $ gnutls-certtool -i --infile $CERT
+
+There is a 'generate' script here that will perform the above steps.  Take a
+look at it to see the individual steps it takes to generate the proper set of
+keys and certs.
+
+Note that you need to modify the 'vars' file to provide your own identity and
+chosen parameters.
+
+Validate a certificate with:
+
+    $ gnutls-certtool --verify --infile client.cert.pem --load-ca-certificate ca.cert.pem
+