From 636a446d6fc374f40b63eb847d021e0e498105c3 Mon Sep 17 00:00:00 2001
From: albertony <12441419+albertony@users.noreply.github.com>
Date: Fri, 11 Dec 2020 19:34:16 +0100
Subject: [PATCH] Improved description of fingerprint handling in command line
 wiki

Signed-off-by: Dom Rodriguez <shymega@shymega.org.uk>
---
 Command-Line.md | 43 ++++++++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 21 deletions(-)

diff --git a/Command-Line.md b/Command-Line.md
index d0ac93f..930dde4 100644
--- a/Command-Line.md
+++ b/Command-Line.md
@@ -583,35 +583,36 @@ Clients must contain the following file:
 
 ### Generating certificate and fingerprint
 
-The main UI application has built-in functionality to generate a self-signed server certificate,
-and fingerprint. In a command line only ([portable](#portable)) environment you will have to create these manually,
-using the OpenSSL command line utility, which is included in a Barrier installation together
-with a Barrier specific OpenSSL configuration file `barrier.conf`. To create them the same
-way as the UI application does, you can follow the following Windows example.
-It uses `openssl.exe` and `barrier.conf` from a Barrier installed in
-`C:\Program Files\Barrier`, generating configuration in `%LocalAppData%\Barrier\SSL`.
-If you have the OpenSSL files in a different location and/or are planning to keep the SSL files in a
-custom location specified with command line argument `--profile-dir`, you must change the paths in the example accordingly.
+The main UI application has built-in functionality for handling encryption.
+In server mode it will generate a self-signed server certificate and a fingerprint.
+In client mode it will prompt for you to accept the server's fingerprint, and add
+it to your list of trusted servers.
+In a command line only ([portable](#portable)) environment you will have to handle
+this manually. You can use the OpenSSL command line utility which is included in
+a Barrier installation together with a Barrier specific OpenSSL configuration
+file `barrier.conf`. To create them the same way as the UI application does,
+you can follow the following Windows example. It uses `openssl.exe` and `barrier.conf`
+from a Barrier installed in default location `C:\Program Files\Barrier`, generating
+configuration in default location `%LocalAppData%\Barrier\SSL`. If you have the
+OpenSSL files in a different location and/or are planning to keep the SSL files in
+a custom location specified with command line argument `--profile-dir`, you must
+change the paths in the example accordingly.
 
 ```
-mkdir "%LocalAppData%\Barrier\SSL\Fingerprints" >NUL 2>&1
-set OPENSSL_CONF=C:\Program Files\Barrier\barrier.conf
+MKDIR "%LocalAppData%\Barrier\SSL\Fingerprints" >NUL 2>&1
+SET OPENSSL_CONF=C:\Program Files\Barrier\barrier.conf
 SET RANDFILE=%LocalAppData%\Barrier\SSL\.rnd
 "C:\Program Files\Barrier\openssl.exe" req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:2048 -keyout "%LocalAppData%\Barrier\SSL\Barrier.pem" -out "%LocalAppData%\Barrier\SSL\Barrier.pem"
 IF EXIST "%RANDFILE%" DEL "%RANDFILE%"
-"C:\Program Files\Barrier\openssl.exe" x509 -fingerprint -sha1 -noout -in "%LocalAppData%\Barrier\SSL\Barrier.pem" > "%LocalAppData%\Barrier\SSL\Fingerprints\Local.txt"
+FOR /F "tokens=2 delims=^=" %a in ('""C:\Program Files\Barrier\openssl.exe" x509 -fingerprint -sha1 -noout -in "%LocalAppData%\Barrier\SSL\Barrier.pem""') DO ECHO %a > "%LocalAppData%\Barrier\SSL\Fingerprints\Local.txt"
 ```
 
-Now, on any clients you must manually create the `%LocalAppData%\Barrier\SSL\Fingerprints\TrustedServers.txt` file,
-with the hash from the server's `%LocalAppData%\Barrier\SSL\Fingerprints\Local.txt`.
+Now, on any clients you must manually ensure there is a text file
+`%LocalAppData%\Barrier\SSL\Fingerprints\TrustedServers.txt`,
+and append a line to it, with the hash string from the server's
+`%LocalAppData%\Barrier\SSL\Fingerprints\Local.txt`,
+e.g.
 
-Given the server's Local.txt contains:
-
-```
-SHA1 Fingerprint=96:32:AB:DD:38:5C:E5:21:20:8E:52:E8:83:28:A0:2A:CC:CC:8F:A3
-```
-
-You must put the following into the client's TrustedServers.txt:
 ```
 96:32:AB:DD:38:5C:E5:21:20:8E:52:E8:83:28:A0:2A:CC:CC:8F:A3
 ```