From 551ff912277a60b5fef9f4c6379084ac7aa27b5b Mon Sep 17 00:00:00 2001
From: Walter Goulet <wgoulet@gmail.com>
Date: Wed, 9 Jul 2025 13:29:17 -0500
Subject: [PATCH] Add additional docs to clarify key generation and format for
 config file

---
 trillian/docs/ManualDeployment.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/trillian/docs/ManualDeployment.md b/trillian/docs/ManualDeployment.md
index d10a31754f..e0313d58ef 100644
--- a/trillian/docs/ManualDeployment.md
+++ b/trillian/docs/ManualDeployment.md
@@ -258,6 +258,13 @@ ASN1 OID: prime256v1
 NIST CURVE: P-256
 ```
 
+**Cross-check**: Convert the private and public key into DER format encoded as a hex string that can be set in the configuration file:
+```bash
+% openssl pkcs8 -in privkey.pem -topk8 -nocrypt -outform der -out privkey.der
+% xxd -p privkey.der | tr -d '\n' | sed 's/../\\x&/g' > privkey.hex
+```
+Copy the contents of privkey.hex (single line) into the private_key stanza in the configuration file. Repeat the process for the public key.
+
 **Cross-check**: Once the CTFE is configured and running
 ([below](#ctfe-start-up)), the `ctclient` command-line tool allows signature
 checking against the public key with the `--pub_key` option: