DKIM: document Ed25519 private key generation under OpenSSL (1.1.1+)

[users/heiko/exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 67ade7b04a524af83adc05111aa3f4482ede5cd8..978d51fd7e59f78bcbd51d7652be086e27a74363 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -38946,6 +38946,21 @@ As they are a recent development, users should consider dual-signing
 for some transition period.
 The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
 for EC keys.
 for some transition period.
 The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
 for EC keys.

+
+As of writing, producing EC key materials is not well supported
+by the major libraries.  OpenSSL 1.1.1 and GnuTLS 3.6.0 can create private keys:
+.code
+openssl genpkey -algorithm ed25519 -out dkim_ed25519.private
+certtool --generate-privkey --key-type=ed25519 --outfile=dkim_ed25519.private
+.endd
+
+To help in producing the required public key value for a DNS record
+the release package &_util/_& directory contains source for a utility
+buildable with GnuTLS 3.6.0;
+use it like this:
+.code
+ed25519_privkey_pem_to_pubkey_raw_b64 dkim_ed25519.private
+.endd

 .wen
 
 .option dkim_hash smtp string&!! sha256
 .wen
 
 .option dkim_hash smtp string&!! sha256