Document man agent-external-key

Adapt commit message from cf69617bbe for man
page and management documentation.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1349082318-985-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7081
Signed-off-by: David Sommerseth <davids@redhat.com>

doc/management-notes.txt

@@ -750,6 +750,34 @@ To accept connecting to the host and port directly, use this command:
 
   proxy NONE
 
+COMMAND -- rsa-sig (OpenVPN 2.3 or higher)
+------------------------------------------
+Provides support for external storage of the private key. Requires the
+--management-external-key option. This option can be used instead of "key"
+in client mode, and allows the client to run without the need to load the
+actual private key. When the SSL protocol needs to perform an RSA sign
+operation, the data to be signed will be sent to the management interface
+via a notification as follows:
+
+>RSA_SIGN:[BASE64_DATA]
+
+The management interface client should then sign BASE64_DATA
+using the private key and return the SSL signature as follows:
+
+rsa-sig
+[BASE64_SIG_LINE]
+.
+.
+.
+END
+
+Base64 encoded output of RSA_sign(NID_md5_sha1,... will provide a
+correct signature.
+
+This capability is intended to allow the use of arbitrarycryptographic
+service providers with OpenVPN via the management interface.
+
+
 OUTPUT FORMAT
 -------------
 

doc/openvpn.8

@@ -2464,6 +2464,11 @@ Allow management interface to override
 .B \-\-remote
 directives (client-only).
 .\"*********************************************************
+.B \-\-management-external-key
+Allows usage for external private key file instead of
+.B \-\-key
+option (client-only).
+.\"*********************************************************
 .TP
 .B \-\-management-forget-disconnect
 Make OpenVPN forget passwords when management session