Postgres Pro
Downloads
Home   >   mailing lists

Re: Creating Certificates - Mailing list pgsql-hackers

From Tatsuo Ishii
Subject Re: Creating Certificates
Date
Msg-id 20181006.184654.1746720307918096466.t-ishii@sraoss.co.jp
Whole thread Raw
Responses Re: Creating Certificates  (Andrew Dunstan <andrew.dunstan@2ndquadrant.com>)
List pgsql-hackers
Tree view 
After sending below to pgsql-docs, I noticed if I follow the step
described in the doc[1], generated root.crt lacks below.

        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                3B:16:EA:86:0B:7C:E4:7A:16:F2:4E:54:F5:9C:0E:0F:38:02:8C:CF
            X509v3 Authority Key Identifier: 
                keyid:3B:16:EA:86:0B:7C:E4:7A:16:F2:4E:54:F5:9C:0E:0F:38:02:8C:CF

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption

This is present if I use command[2]:
> openssl req -new -x509 -nodes -text -days 3650 \
>   -config /etc/ssl/openssl.cnf -extensions v3_ca \
>   -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com"

I wonder if this is normal or not.

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp

From: Tatsuo Ishii <ishii@sraoss.co.jp>
Subject: Creating Certificates
Date: Sat, 06 Oct 2018 08:17:04 +0900 (JST)
Message-ID: <20181006.081704.1372328430253415862.t-ishii@sraoss.co.jp>

> In "18.9.3. Creating Certificates",
> 
> ------------------------------------------------------------------
[1]
> To create a server certificate whose identity can be validated by
> clients, first create a certificate signing request (CSR) and a
> public/private key file:
> 
> openssl req -new -nodes -text -out root.csr \
>   -keyout root.key -subj "/CN=root.yourdomain.com"
> chmod og-rwx root.key
> 
> Then, sign the request with the key to create a root certificate
> authority (using the default OpenSSL configuration file location on
> Linux):
> 
> openssl x509 -req -in root.csr -text -days 3650 \
>   -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
>   -signkey root.key -out root.crt
> ------------------------------------------------------------------
> 
> For me it seesm the two-step procedure can be replaced with following
> one command:
> 
[2]
> openssl req -new -x509 -nodes -text -days 3650 \
>   -config /etc/ssl/openssl.cnf -extensions v3_ca \
>   -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com"
> 
> Is there any reaon why our doc recommend the two-step procedure?
> 
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp
>

pgsql-hackers by date:

Previous
From: Michael Paquier
Date:
Subject: Re: partition tree inspection functions
Next
From: Dean Rasheed
Date:
Subject: Re: BUG #15307: Low numerical precision of (Co-) Variance