From 2bbf9b3f53453de0ee41e22a7653d93bba000d04 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sat, 3 Jan 2026 09:20:46 -0600
Subject: [PATCH] README tweaks

---
 README.md | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index aa1a9c4..67d1b0f 100644
--- a/README.md
+++ b/README.md
@@ -95,17 +95,20 @@ curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/wiza
 Set up provisioner password by running this and pasting in the current JWK provisioner password for `admin`
 
 ```
-(umask 077; read -s secret && echo "$secret" > $(step path)/certs/secret.txt && unset secret)
-```
-
-Generate the client TLS private key and (public) certificate for mTLS. This will combine them both into a file called `restic.pem`, which can be used with the `--tls-client-cert` option with the restic CLI.
-
-```
-cd $(step path)/certs && \
-step ca certificate \
-    --provisioner admin --password-file secret.txt \
-    $(hostnamectl hostname) restic.crt restic.key && \
-(umask 077; cat restic.{crt,key} > restic.pem)
+export HOSTNAME=$(hostname -s) && \
+export DOMAIN="john-stream.com" && \
+export CERT_DIR="/var/lib/tls" && \
+export IP_ADDRESS=$(ip -4 addr show dev eth0 | awk '/inet /{print $2}' | cut -d/ -f1) && \
+(umask 077; mkdir -p "$CERT_DIR" && cd "$CERT_DIR" && \
+step ca root root_ca.crt && \
+step ca certificate "$HOSTNAME" cert.pem key.pem \
+    --san "$HOSTNAME" \
+    --san "$HOSTNAME.$DOMAIN" \
+    --san "$IP_ADDRESS" \
+    --san spiffe://john-stream.com/role/docker-agent \
+    --provisioner admin && \
+cat {cert,key}.pem > restic.pem) && \
+chmod 644 cert.pem root_ca.crt
 ```
 
 Need restic 0.16+ for the env vars `RESTIC_CACERT` and `RESTIC_TLS_CLIENT_CERT` to work.