> This is taken from: https://github.com/GothenburgBitFactory/taskserver/blob/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki/README PKI is a complex subject. These scripts and this description are not intended to be a complete and accurate example of PKI. Ideally you would purchase a server cert signed by a known CA, such as one of the following: - Symantec - Comodo - GoDaddy - GlobalSign - (Let's Encrypt) That cert would need the 'encryption_key' and 'signing_key' attributes. Using that server cert, you would then issue a server CRL and client keys. If you are developing, testing, or running your own private server, you may choose instead to generate the above yourself. In this case you would generate a CA key and cert, then use that to generate a server key, cert, and CRL. Then you would use the server key and cert to create a client key and cert. But as there is no trusted CA in this example, just yourself, the resultant client key and cert will not be trusted by anyone, for good reasons. Note, you can inspect any cert with the command: ``` $ gnutls-certtool -i --infile $CERT ``` There is a 'generate' script here that will perform the above steps. Take a look at it to see the individual steps it takes to generate the proper set of keys and certs. Note that you need to modify the 'vars' file to provide your own identity and chosen parameters. Validate a certificate with: ``` $ gnutls-certtool --verify --infile client.cert.pem --load-ca-certificate ca.cert.pem ```