From 01c18c109b683139a550c957d653b17dc3710c5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zolt=C3=A1n=20Reegn?= <zoltan.reegn@gmail.com>
Date: Mon, 24 May 2021 12:19:45 +0200
Subject: [PATCH] docs: requirements for custom mitmproxy-ca.pem (#4601)

* docs: requirements for custom mitmproxy-ca.pem

* docs: fix typos
---
 docs/src/content/concepts-certificates.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/docs/src/content/concepts-certificates.md b/docs/src/content/concepts-certificates.md
index 783575a7a..acf57a705 100644
--- a/docs/src/content/concepts-certificates.md
+++ b/docs/src/content/concepts-certificates.md
@@ -151,6 +151,27 @@ mitmproxy. Mitmproxy will then look for `mitmproxy-ca.pem` in the
 specified directory. If no such file exists, it will be generated
 automatically.
 
+The `mitmproxy-ca.pem` certificate file has to look roughly like this:
+
+    -----BEGIN PRIVATE KEY-----
+    <private key>
+    -----END PRIVATE KEY-----
+    -----BEGIN CERTIFICATE-----
+    <cert>
+    -----END CERTIFICATE-----
+
+When looking at the certificate with 
+`openssl x509 -noout -text -in ~/.mitmproxy/mitmproxy-ca.pem`
+it should have at least the following X509v3 extensions so mitmproxy can 
+use it to generate certificates:
+
+    X509v3 extensions:
+        X509v3 Key Usage: critical
+            Certificate Sign
+        X509v3 Basic Constraints: critical
+            CA:TRUE
+
+
 ## Using a client side certificate
 
 You can use a client certificate by passing the `--set client_certs=DIRECTORY|FILE`