[mod_gnutls/doc] more details which certificates are needed for OCSP

Change-Id: I1f7004bf2182f8023f19c0e3d2e3f5dee4968a9b

doc/mod_gnutls.xml

@@ -202,9 +202,22 @@
 			Converting into PEM format can be done like this:
 
 			<pre>
-				echo "-----BEGIN OCSP RESPONSE-----"; base64 --wrap=64 ocsp.der; echo "-----END OCSP RESPONSE-----"
+				(echo "-----BEGIN OCSP RESPONSE-----"; base64 --wrap=64 ocsp.der; echo "-----END OCSP RESPONSE-----") > ocsp.pem
 			</pre>
 
+			If you have trouble identifying which certificates you need, here the more detailed explanation:
+
+			You usually have a list of certificates in the PEM file you pass to lighttpd. The first certificate usually has a "Subject" pointing to your server name (CN), like: "Subject: CN=lighttpd.net". It also has a "Issuer" attribute (like "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"). The issuer certificate needs a "Subject" matching that "Issuer", and should be the second certificate in the PEM file (unless it already is the root CA, in which case it is usually omitted).
+
+			@ocsptool@ will always use the first certificate in a file and ignore the others, so you can use the normal PEM file you pass to lighttpd as argument after @--load-cert@, but you need to extract the issuer certificate if you don't have it in a separate file. The following @awk@ script extracts the second PEM block from a file:
+
+			<pre>
+				awk '
+					BEGIN { block = 0 }
+					/^-----BEGIN / { ++block; }
+					{ if (block > 1) print; }
+				' "certs.pem" > "issuer.pem"
+			</pre>
 		</textile>
 	</section>