mk-ca-bundle.1: document -k
Brought in 1ad2bdcf110266c. Now does HTTPS by default and needs -k to
fall back to plain HTTP.
diff --git a/docs/mk-ca-bundle.1 b/docs/mk-ca-bundle.1
index b1ded44..c8f5177 100644
--- a/docs/mk-ca-bundle.1
+++ b/docs/mk-ca-bundle.1
@@ -20,18 +20,18 @@
.\" *
.\" **************************************************************************
.\"
-.TH mk-ca-bundle 1 "5 Jan 2013" "version 1.20" "mk-ca-bundle manual"
+.TH mk-ca-bundle 1 "24 Oct 2016" "version 1.27" "mk-ca-bundle manual"
.SH NAME
mk-ca-bundle \- convert mozilla's certdata.txt to PEM format
.SH SYNOPSIS
-mk-ca-bundle [bilnpqstuv]
+mk-ca-bundle [options]
.I [outputfile]
.SH DESCRIPTION
The mk-ca-bundle tool downloads the certdata.txt file from Mozilla's source
-tree over HTTP, then parses certdata.txt and extracts certificates
-into PEM format. By default, only CA root certificates trusted to issue SSL
-server authentication certificates are extracted. These are then processed with
-the OpenSSL commandline tool to produce the final ca-bundle file.
+tree over HTTPS, then parses certdata.txt and extracts certificates into PEM
+format. By default, only CA root certificates trusted to issue SSL server
+authentication certificates are extracted. These are then processed with the
+OpenSSL commandline tool to produce the final ca-bundle file.
The default \fIoutputfile\fP name is \fBca-bundle.crt\fP. By setting it to '-'
(a single dash) you will get the output sent to STDOUT instead of a file.
@@ -51,6 +51,10 @@
force rebuild even if certdata.txt is current (Added in version 1.17)
.IP -i
print version info about used modules
+.IP -k
+Allow insecure data transfer. By default (since 1.27) this command will fail
+if the HTTPS transfer fails. This overrides that decision (and opens for
+man-in-the-middle attacks).
.IP -l
print license info about certdata.txt
.IP -m
