Postgres Pro
Downloads
Home   >   mailing lists

Re: Creating Certificates - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Creating Certificates
Date
Msg-id 20181016024929.GA31154@momjian.us
Whole thread Raw
In response to Re: Creating Certificates  (Tatsuo Ishii <ishii@sraoss.co.jp>)
Responses Re: Creating Certificates  (Magnus Hagander <magnus@hagander.net>)
List pgsql-hackers
Tree view 
On Tue, Oct 16, 2018 at 11:45:53AM +0900, Tatsuo Ishii wrote:
> > I'm not opposed to simplifying the instructions, however.
> 
> Ok, attached is a proposal to simplify the instructions.

I am against this simplification for the reasons I stated in this
thread.

---------------------------------------------------------------------------

> 
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp

> diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
> index 8d9d40664b..23f080eeab 100644
> --- a/doc/src/sgml/runtime.sgml
> +++ b/doc/src/sgml/runtime.sgml
> @@ -2426,21 +2426,15 @@ chmod og-rwx server.key
>     </para>
>  
>     <para>
> -    To create a server certificate whose identity can be validated
> -    by clients, first create a certificate signing request
> -    (<acronym>CSR</acronym>) and a public/private key file:
> +    To create a server certificate whose identity can be validated by
> +    clients, create a root certificate authority (using the
> +    default <productname>OpenSSL</productname> configuration file location
> +    on <productname>Linux</productname>):
>  <programlisting>
> -openssl req -new -nodes -text -out root.csr \
> -  -keyout root.key -subj "/CN=<replaceable>root.yourdomain.com</replaceable>"
> +openssl req -new -x509 -nodes -text -days 3650 \
> +  -config /etc/ssl/openssl.cnf -extensions v3_ca \
> +  -out root.crt -keyout root.key -subj "/CN=<replaceable>root.yourdomain.com</replaceable>"
>  chmod og-rwx root.key
> -</programlisting>
> -    Then, sign the request with the key to create a root certificate
> -    authority (using the default <productname>OpenSSL</productname>
> -    configuration file location on <productname>Linux</productname>):
> -<programlisting>
> -openssl x509 -req -in root.csr -text -days 3650 \
> -  -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
> -  -signkey root.key -out root.crt
>  </programlisting>
>      Finally, create a server certificate signed by the new root certificate
>      authority:


-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +

pgsql-hackers by date:

Previous
From: Tatsuo Ishii
Date:
Subject: Re: Creating Certificates
Next
From: Haribabu Kommi
Date:
Subject: Re: Pluggable Storage - Andres's take