[doc] added TLS_PRIVATE_KEYFILE description

2 files changed, 16 insertions, 0 deletions

diff --git a/tcpd/couriertls.sgml b/tcpd/couriertls.sgml
index a7a8e72..0711654 100644
--- a/tcpd/couriertls.sgml
+++ b/tcpd/couriertls.sgml
@@ -236,6 +236,16 @@ for SSL/TLS clients.
       </varlistentry>
 
       <varlistentry>
+	<term>TLS_PRIVATE_KEYFILE=<replaceable>filename</replaceable></term>
+	<listitem>
+	  <para>
+SSL/TLS private key for decrypting client data.
+<envar>TLS_PRIVATE_KEY</envar> is optional because <term>TLS_CERTFILE</term> is generated including cert and private key both.
+<replaceable>filename</replaceable> must not be world-readable.</para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
 	<term>TLS_TRUSTCERTS=<replaceable>pathname</replaceable></term>
 	<listitem>
 	  <para>
diff --git a/tcpd/libcouriertls.h b/tcpd/libcouriertls.h
index 17faabc..a45f910 100644
--- a/tcpd/libcouriertls.h
+++ b/tcpd/libcouriertls.h
@@ -325,6 +325,12 @@ TLS_CERTFILE is required for SSL/TLS servers, and is optional for SSL/TLS
 clients.  TLS_CERTFILE is usually treated as confidential, and must not be
 world-readable.
 
+TLS_PRIVATE_KEYFILE - SSL/TLS private key for decrypting peer data.
+By default, courier generates SSL/TLS certifice including private key
+and install it in TLS_CERTFILE path, so TLS_PRIVATE_KEYFILE is completely
+optional. If TLS_PRIVATE_KEYFILE is not set (default), TLS_CERTFILE is
+treated as certificate including private key file.
+
 TLS_TRUSTCERTS=pathname - load trusted root certificates from pathname.
 pathname can be a file or a directory. If a file, the file should
 contain a list of trusted certificates, in PEM format. If a