From: Martin Willi <martin@revosec.ch>
Date: Wed, 17 Oct 2012 13:50:01 +0000 (+0200)
Subject: Updated ipsec.conf.5 regarding (CA) certificates loaded from smartcards
X-Git-Tag: 5.0.2dr4~287
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f6d8fb36874be43a41a0043810c1c3ad845a890c;p=thirdparty%2Fstrongswan.git

Updated ipsec.conf.5 regarding (CA) certificates loaded from smartcards
---

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 8010049947..303fb78fac 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -591,12 +591,9 @@ The left participant's ID can be overridden by specifying a
 value which must be certified by the certificate, though.
 .br
 A value in the form
-.B %smartcard:<keyid>
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
 defines a specific certificate to load from a PKCS#11 backend for this
-connection.
-.B <keyid>
-has to be a hex encoded key identifier under which the certificate is stored
-on any of the configured smartcards.
+connection. See ipsec.secrets(5) for details about smartcard definitions.
 .B leftcert
 is required only if selecting the certificate with
 .B leftid
@@ -1034,6 +1031,11 @@ currently can have either the value
 .BR cacert " = <path>"
 defines a path to the CA certificate either relative to
 \fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific CA certificate to load from a PKCS#11 backend for this CA.
+See ipsec.secrets(5) for details about smartcard definitions.
 .TP
 .BR crluri " = <uri>"
 defines a CRL distribution point (ldap, http, or file URI)