fix pathnames in README

README.md

@@ -36,19 +36,24 @@ certificate: when prompted for "Common Name", say "Certificate
 Authority" or something like that
 
 ```
-openssl genrsa -out ca.key 4096
-openssl req  -addext basicConstraints=critical,CA:TRUE,pathlen:1  --x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt
+openssl genrsa -out private/ca.key 4096
+openssl req  -addext basicConstraints=critical,CA:TRUE,pathlen:0  --x509 -new -nodes -key private/ca.key -sha256 -days 3650  -out certs/ca.crt
 ```
 
 ### Server key and cert
 
 The certifix service is exposed over HTTPS, so it needs its own
 certificate signed by the CA. Use your hostname when prompted for
-Common Name
+Common Name. If your server host is reachable using different
+names from different clients then you need to provide _all_ of them
+as `subjectAltName` - as in the example below.
 
 ```
-openssl req -newkey rsa:2048 -nodes -keyout server.key --out server.csr
-openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
+# it's important to list all the hostnames of your server machine in the
+# subjectAltName field
+openssl req -newkey rsa:2048  -addext "subjectAltName = DNS:loaclhost.lan,DNS:localhost,DNS:loaclhost.telent.net" -nodes -keyout private/server.key --out certs/server.csr
+openssl x509 -req -in certs/server.csr -days 365 -CA certs/ca.crt -CAkey private/ca.key -CAcreateserial -copy_extensions copyall -out certs/server.crt
+
 ```
 
 ### Build and start the server
@@ -61,9 +66,14 @@ it to check client certificate requests against.
 echo 'loves labours lost' > psk
 chmod 0700 psk
 nix-build
-result/bin/certifix  --challenge-password psk  --ca-certificate ca.crt --ca-private-key --server-certificate server.crt --server-private-key server.key localhost:19613
+result/bin/certifix  --challenge-password psk  --ca-certificate certs/ca.crt --ca-private-key private/ca.key --server-certificate certs/server.crt --server-private-key private/server.key localhost:19613
 ```
 
+* To listen on all interfaces, use a wildcard address instead of
+  `localhost` - e.g. `::0:19613' will (at least on my machine) accept
+  IPv4 and IPv6 connections on any interface
+
+
 ### Try it and see if it works
 
 To set the `challengePassword` attribute in a CSR using OpenSSL, you
@@ -76,10 +86,10 @@ need to create a configuration file.  Copy `openssl.cnf.example` to
 
 ```
 # make CSR
-CN=mydevice openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr
+CN=mydevice openssl req -config openssl.cnf -addext "subjectAltName = DNS:mydevice.lan" -newkey rsa:2048 -nodes -keyout client.key -out client.csr
 
 # send it to certifix, should get a certificate in response
-curl --cacert ca.crt   -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  https://localhost:19613/sign
+curl --cacert certs/ca.crt   -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  https://localhost:19613/sign
 ```
 
 
@@ -102,6 +112,8 @@ only invoked once an acceptable request has been received.
 
 * probably has wrong basicConstraints in CA cert
 
+* doesn't call SSL shutdown at the end of the response
+
 * likewise other TLS best practices
 
 
@@ -110,3 +122,4 @@ only invoked once an acceptable request has been received.
 
 * [RFC 5967 - spec for a CSR](https://datatracker.ietf.org/doc/html/rfc5967)
 * [A gentle introduction to ASN1. and DER](https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/)
+ openssl req -newkey rsa:2048  -addext "subjectAltName = DNS:loaclhost.lan,DNS:localhost,DNS:loaclhost.telent.net" -nodes -keyout private/server.key --out certs/server.csr