From 5c7a8052ed42dfc966087f61fd94eb1ab322ca85 Mon Sep 17 00:00:00 2001
From: Ceri Davies <ceri@FreeBSD.org>
Date: Sat, 14 May 2005 11:01:22 +0000
Subject: [PATCH] Clarify that you're supposed to send the certificate request
 to the CA, rather than your private key.

Suggested by:	Brett Schroeder <brett at brettschroeder dot name>
---
 .../books/handbook/security/chapter.sgml            | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index 78883d4b5d..6bc299954e 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -3072,10 +3072,15 @@ An optional company name []:<userinput><replaceable>Another Name</replaceable></
 	are available.  A complete list may be obtained by viewing
 	the &man.openssl.1; manual page.</para>
 
-      <para>A <filename>cert.pem</filename> file should now exist in
-	the directory which the aforementioned command was issued.  This
-	is the certificate which may be sent to any
-	<acronym>CA</acronym> for signing.</para>
+      <para>Two files should now exist in
+	the directory in which the aforementioned command was issued.
+	The certificate request, <filename>req.pem</filename>, may be
+	sent to a certificate authority who will validate the credentials
+	that you entered, sign the request and return the certificate to
+	you.  The second file created will be named <filename>cert.pem</filename>
+	and is the private key for the certificate and should be
+	protected at all costs; if this falls in the hands of others it
+	can be used to impersonate you (or your server).</para>
 
       <para>In cases where a signature from a <acronym>CA</acronym> is
 	not required, a self signed certificate can be created.  First,