From 1ecaf4846c8bf045ca28fa0250895f90850f20f0 Mon Sep 17 00:00:00 2001
From: Florent Gluck <florent.gluck@hesge.ch>
Date: Wed, 13 Mar 2024 15:22:36 +0100
Subject: [PATCH] updated spice doc

---
 docs/README_spice_encryption.md | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/docs/README_spice_encryption.md b/docs/README_spice_encryption.md
index 4cf4429d..25376143 100644
--- a/docs/README_spice_encryption.md
+++ b/docs/README_spice_encryption.md
@@ -65,9 +65,9 @@ hostname --fqdn
 
 Using both template files, `gen-cert.sh` creates in the specified directory:
 
-- CA public key: `ca-cert.pem`
-- Server private key: `server-key.pem` (root-only access)
-- Server public key: `server-cert.pem`
+- The CA master certificate: `ca-cert.pem`
+- The server certificate signed with ca-cert.pem: `server-cert.pem`
+- The server private key: `server-key.pem` (root-only access)
 
 This directory must be passed in argument to QEMU in order to use SPICE with TLS.
 The `ca-key.pem` key is sensitive and required to generate other certificates. Ideally, it whould be stored offline.
@@ -104,11 +104,7 @@ More information on how to do it here: `https://ubuntu.com/server/docs/security-
 ## Server side certificate usage
 
 On the server side, SPICE can be configured to either use a password or not when establishing the connection.
-In both cases, a directory containing the following files must be specified to QEMU:
-
-- Server private key: `server-key.pem`
-- Server public key: `server-cert.pem`
-- CA public key: `ca-cert.pem`
+In both cases, a directory containing these 3 files, `ca-cert.pem, server-cert.pem, server-key.pem`, must be specified to QEMU.
 
 ### SPICE without password
 
-- 
GitLab