Improve README.

README.md

@@ -2,43 +2,67 @@
 
 I wanted to install a certificate generated by Let's encrypt on my brand new laser printer 
 (HP Laserjet MFJ 4302) for the integrated administration webserver.
-After research on the web, I discovered 
+After research on the web, I discovered that although there were projects supporting older models
+nothing was existing for newer models.
+Hence I decided to write my own tool in Python.
+It was designed by reverse engineering the integrated administration webserver following the
+network exchange when using the menu dedicated to certificate management 
+(Security -> Certicates management)
 
-# Arguments
+# Command
 
-positional arguments:
+```bash
-  {csr,pem}             command help
+  {list, del, csr,pem}
-    csr                 Create CSR
+    list                List certificates known by the printer
-    pem                 Install certificate
+    del                 Delete a certificate
+    csr                 Create a certificate signing request (CSR)
+    pem                 Install a PEM certificate
 
-options:
+Common options:
-  -h, --help            show this help message and exit
+  -h, --help                        Show this help message and exit
   -d, --debug                       Activate debug.
-  -c, --config CONFIG_FILENAME
+  -c, --config CONFIG_FILENAME      Configuration file.
-                        Configuration file.
+  -u, --user USERNAME               Username (admin).
-  -u, --user USERNAME   Username.
+  -p, --password [PASSWORD]         Specify admin password.
-  -p, --password [PASSWORD]
-                        Password.
   -H, --host HOSTNAME               Hostname.
-  -n, --no-tls-verification
+  -n, --no-tls-verification         Do not verify certificate validity.
-                        Verify certificate validity.
+```
-
 
 # How to use it ?
 
-To obtain a CSR:
+After playing a lot with the administration web server, I discover a reproducible way to convince
-```
+the printer to accept a Let's Encrypt certificate.
+First you need to ask a CSR generated by the printer:
+```bash
 ./refresh-certificate.py  -c ./config.ini -n -p PASSWORD csr
 ```
+This way the private key part of the certificate is only known by the printer.
+I was not able to import the private key of a Let's Encrypt certificate as obtained when generating
+the certificate directly from ACME.
 
-To obtain a PEM certificate from Let's encrypt:
+Next you need to ask Let's Encrypt to sign the CSR:
 ```
 certbot certonly --webroot -w /var/www/letsencrypt/ --csr printer.csr
 ```
 
-To install the PEM file on the printer:
+You should obtain three PEM files in response:
+
+1. _cert.pem_: the certificate itself (PEM format)
+2. _chain.pem_: the intermediate CA that signed the certificate (PEM format)
+3. _fullchain.pem_: the two previous files concatenated.
+
+Finally you can install the certificate PEM file on the printer:
 ```
-./refresh-certificate.py  -c ./config.ini -n -p PASSWORD pem 
+./refresh-certificate.py  -c ./config.ini -n -p PASSWORD pem -i fullchain.pem
 ```
 
+Please note that during the last step, you can add either the _cert.pem_ file or 
+the _fullchain.pem_ files. In both cases, you should be able to connect to the printer webserver
+without warning message from your navigator (tested on Firefox and Chromium).
+This is possible because the main navigators comes with a certificates store that contains
+not only the root certificate of Let's Encrypt but also the intermediate certificates.
+However, note that most others tools will fail to connect to the Web server of the printer
+(including this tool) because the printer will only present the final certificate.
+You really have to install the _fullchain.pem_ to remove TLS connexion errors from all tools.
+