tls doc update

mbax · mbax · commit bee223277422 · 2019-06-23T00:29:35.000-04:00
diff --git a/docs/advanced/tls.md b/docs/advanced/tls.md
@@ -14,10 +14,9 @@ You can set the public and private key utilized in the connection using the foll
 
 By default, when connecting securely, KICL will utilize the default `TrustManagerFactory`
 provided by the JRE you're using. This factory *does not* necessarily accept certificates
-issued by all certificate authorities (such as StartCom, which is still used by some IRC networks)
-and self-signed certificates. If possible, you should consider [importing](tls_import.md)
-the root certificates for these certificate authorities which will allow connections to be
-made.
+issued by all certificate authorities and self-signed certificates. If possible, you should
+consider [importing](tls_import.md) the root certificates for these certificate authorities
+which will allow connections to be made.
 
 KICL lets you set your own `TrustManagerFactory` in the `Client.Builder` so you may let KICL
 connect to the network you desire. For testing, there is also the `InsecureTrustManagerFactory`
diff --git a/docs/advanced/tls_import.md b/docs/advanced/tls_import.md
@@ -1,23 +1,17 @@
 ### Importing common root certificates
 
-Java's default trust store does not include root certificates from a number of popular certificate authorities. This
-means that connections to servers which make use of certificates signed by CAs such as StartCom (e.g. EsperNet) will
+Java's default trust store may not include the certificate authority (such as self-signed) used by your IRC. This
+means that connections to servers which make use of certificates signed by these CAs will
 fail.
 
 It's possible to manually import the root certificates into Java's trust store which will make such connections work.
 This approach is preferable to making use of the `InsecureTrustManagerFactory` or otherwise disabling certificate
 verification.
 
-1. Download the root certificates in DER form. For StartCom's roots, these can be obtained using wget:
+1. Download the certificate in DER form.
 
 ```sh
-wget https://www.startssl.com/certs/der/ca.crt https://www.startssl.com/certs/der/ca-g2.crt
-```
-
-If the certificates you want to import aren't available in DER form, you can convert one in PEM form using:
-
-```sh
-openssl x509 -in certificate.crt -out certificate.der -outform DER
+openssl s_client -showcerts -connect irc.host:6697 < /dev/null | openssl x509 -outform DER > cert.der
 ```
 
 1. Locate the `cacerts` file. This is located in the `lib` of the JAVA_HOME directory. For example,
@@ -28,7 +22,7 @@ which is set by default to 'changeit'. If you've not changed it, you should be a
 supply an alias for each certificate via the `-alias` argument.
 
 ```sh
-sudo keytool -trustcacerts -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -noprompt -importcert -alias StartCom1 -file ca.crt 
+sudo keytool -trustcacerts -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -noprompt -importcert -alias irchost -file cert.der
 ```
 
 You can list all certificates in your trust store and verify the certificates were correctly added by issuing
