bwesterb · bwesterb · Apr 24, 2025 · Apr 24, 2025 · Apr 24, 2025
diff --git a/README.md b/README.md
@@ -100,6 +100,34 @@ The second is optional "evidence" that's published alongside the
 assertions. In the future this could for instance be used for
 serialized DNSSEC proofs.
 
+We can also create an assertion request derived from an existing X.509
+certificate at a TLS server using the `-X` flag:
+
+```
+$ mtc new-assertion-request -X example.com:443 | mtc inspect assertion-request
+checksum         015d4da06412b4e48f8d93bcbe7bbf43c4684579322cbfbc88d8b653bb2f7e51
+not_after        unset
+subject_type     TLS
+signature_scheme p256
+public_key_hash  8d566a5407ab85b413925911c4ce6b13013516006fa8568bf2ec58b9abe04af1
+dns              [example.com]
+dns_wildcard     [example.com]
+evidence-list (1 entries)
+umbilical
+ certificate 0
+  subject    CN=*.example.com,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US
+  issuer     CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=US
+  serial_no  ad893bafa68b0b7fb7a404f06ecaf9a
+  not_before 2025-01-15 00:00:00 +0000 UTC
+  not_after  2026-01-15 23:59:59 +0000 UTC
+ certificate 1
+  subject    CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=US
+  issuer     CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
+  serial_no  b00e92d4d6d731fca3059c7cb1e1886
+  not_before 2021-04-14 00:00:00 +0000 UTC
+  not_after  2031-04-13 23:59:59 +0000 UTC
+```
+
 ### Batches, merkle trees and signed validity windows
 
 An MTCA doesn't give you a certificate for an assertion request immediately.
@@ -483,3 +511,66 @@ recomputed tree head 043bc6b0e49a085f2370b2e0f0876d154c2e8d8fe049077dbad118a3635
 authentication path
  8964f010faa9e499b21917f8792b541b7b1ac19f313a5d53094c698c2edc330b
 ```
+
+### Mirroring a CA
+
+We can set up a new mirror with the `mtc mirror new` command:
+
+```
+$ mtc mirror new ca.example.com/path
+```
+
+This will download the `ca-params`
+from `https://ca.example.com/path/mtc/v04b/ca-params` and
+set up a directory structure similar to that of a CA:
+
+```
+$ find .
+.
+./www
+./www/mtc
+./www/mtc/v04b
+./www/mtc/v04b/ca-params
+./www/mtc/v04b/batches
+./tmp
+```
+
+To bring the mirror up to date with the CA, use the `update` command:
+
+```
+$ mtc mirror update
+2025/04/24 11:54:53 INFO Current state expectedStoredRemote=0 expectedActiveRemote=0 latestRemoteBatch=0 mirroredBatches=⌀
+2025/04/24 11:54:53 INFO Fetching batch=0
+2025/04/24 11:54:53 INFO Next batch at the earliest in 49s
+$ find .
+.
+./www
+./www/mtc
+./www/mtc/v04b
+./www/mtc/v04b/ca-params
+./www/mtc/v04b/batches
+./www/mtc/v04b/batches/0
+./www/mtc/v04b/batches/0/validity-window
+./www/mtc/v04b/batches/0/tree
+./www/mtc/v04b/batches/0/entries
+./www/mtc/v04b/batches/0/evidence
+./www/mtc/v04b/batches/latest
+./tmp
+```
+
+#### Local testing
+
+To make local testing convenient, when you use `localhost` as server prefix,
+the mirror will use `http` instead of `https`. This allows a quick testing
+set up as follows:
+
+```
+# Set up a CA in the ca folder
+$ mtc ca -p ca new --batch-duration 5m --lifetime 1h 62253.12.15 localhost:8080
+$ mtc ca -p ca queue -X example.com:443
+$ mtc ca -p ca issue
+$ mtc ca -p ca server -listen-addr localhost:8080 &
+# Set up a mirror of the CA in the mirror folder
+$ mtc mirror -p mirror new localhost:8080
+$ mtc mirror -p mirror update
+```