From 6060e206a439bf6174cf9f2b2e77b1ba965cfe2f Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Sun, 6 Jan 2019 17:38:49 -0500
Subject: [PATCH] Document the hardcoded PKCS#12 password

PKCS#12 encryption is legacy and we don't want to encourage relying on
it by making the password configurable. Some systems require the default
"changeit", so stick with that.

Fixes #86
Closes #58
Closes #87
---
 cert.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/cert.go b/cert.go
index 13ed35f..055e274 100644
--- a/cert.go
+++ b/cert.go
@@ -113,7 +113,8 @@ func (m *mkcert) makeCert(hosts []string) {
 	if !m.pkcs12 {
 		log.Printf("\nThe certificate is at \"./%s.pem\" and the key at \"./%s-key.pem\" ✅\n\n", filename, filename)
 	} else {
-		log.Printf("\nThe PKCS#12 bundle is at \"./%s.p12\" ✅\n\n", filename)
+		log.Printf("\nThe PKCS#12 bundle is at \"./%s.p12\" ✅\n", filename)
+		log.Printf("\nThe legacy PKCS#12 encryption password is the often hardcoded default \"changeit\" ℹ️\n\n")
 	}
 }
 
@@ -188,8 +189,8 @@ func (m *mkcert) newCA() {
 		KeyUsage: x509.KeyUsageCertSign,
 
 		BasicConstraintsValid: true,
-		IsCA:           true,
-		MaxPathLenZero: true,
+		IsCA:                  true,
+		MaxPathLenZero:        true,
 	}
 
 	cert, err := x509.CreateCertificate(rand.Reader, tpl, tpl, &pub, priv)