Attached is the first cut at mkcert.sh, a tool to create PostgreSQL
server certificates. It also sets up a directory suitable for the
OpenSSL CA tool, something that can be used to sign client certs.
The root cert should be added to the backend SSL cert verification
tools, and copied to user's .postgresql directory so the client
can verify the server cert. This one root cert can be used for
multiple server certs in addition to all client certs.
Also, this script sets up DSA keys/certs. With empheral DH keys the
server (and client) keys are only used to sign the emphermal keys,
so you can use DSA keys. Without emphermal keys you would need to
use RSA keys since those keys are used for encryption in addition
to signing.
Some predictable changes:
1) the root key should be encrypted, since it isn't necessary for
the system to boot. (Extreme case: the root key should be
kept off the hard disk, perhaps in a smart cart.)
2) the 'openssl.conf' file could be split into 'root.conf' and
'server.conf' files so the prompts can be a bit more suggestive.
There should also be a 'client.conf' file for client certs,
and it should be copied to /etc/postgresql and visible to clients.
(To avoid the hassles of requiring clients have the OpenSSL
tools bundled, pgkeygen should be a binary program instead of
a script.)
3) there should be a sample domain-component config file in addition
to the geopolitical one. That gives DNs like
DC=com/DC=example/CN=eris.example.com/email=postgres@example.com
instead of
C=US/ST=Colorado/O=Snakeoil/CN=eris.example.com/email=postgres@example.com
Bear
