On 04/17/2017 02:19 PM, Bruce Momjian wrote:
> On Sat, Apr 15, 2017 at 11:17:14AM -0400, Andrew Dunstan wrote:
>>
>> On 04/15/2017 09:58 AM, Andrew Dunstan wrote:
>>> The instructions on how to create a self-signed certificate in s 18.9.3
>>> of the docs seem unduly cumbersome. AFAICT we could replace all the
>>> commands (except the chmod) with something like this:
>>>
>>> |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\
>>> -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"|
>>>
>>> Is there any reason for sticking with the current instructions?
>>>
>> Argh. Darn Thunderbird. This should of course be:
>>
>>
>> openssl req -new-x509 -days 365-nodes \
> ^^^^^^^^^
>
> I think you meant "-days 365 -nodes" here.
yes.
>
> I think the reason we have those cumbersome instructions is that there
> is no way to create a non-expireable certificate using simpler
> instructions.
You can make it for a very large number of days. 9999 should be plenty :-)
TBH very long lived keys are a bad idea. In fact, self-signed
certificates in any production or publicly visible instance are also a
bad idea.
>
> I would like to revisit these instructions, as well as document how to
> create intermediate certificates. I have scripts that do that.
>
OK.. Do you want to run with this?
cheers
andrew
--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services