Thread: SSL Connections
I've been experimenting with the SSL connection support. Unfortunately I can't get the postmaster to start because the instructions in the documentation for setting up a certificate don't work. They say: ============================================================================= For details on how to create your server private key and certificate, refer to the OpenSSL documentation... To create a quick self-signed certificate, use the CA.pl script included in OpenSSL: CA.pl -newcert Fill out the information the script asks for. Make sure to enter the local host name as Common Name. The script will generate a key that is passphrase protected. To remove the passphrase (required if you want automatic start-up of the postmaster), run the command openssl x509 -inform PEM -outform PEM -in newreq.pem \ -out newkey_no_passphrase.pem Enter the old passphrase to unlock the existing key. Copy the file newreq.pem to PGDATA/server.crt and newkey_no_passphrase.pem to PGDATA/server.key. Remove the PRIVATE KEY part from the server.crt using any text editor. ============================================================================= The openssl x509 command runs with no interaction; this documentation seems to indicate that it will ask for a password. I can't find anything in the SSL documentation about removing or changing the passphrase. Has anyone successfully done this? and if so, how is the documentation quoted above inforrect? -- Oliver Elphick Oliver.Elphick@lfix.co.uk Isle of Wight http://www.lfix.co.uk/oliver PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47 GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C ======================================== "And she shall bring forth a son, and thou shall call his name JESUS; forhe shall save his people from their sins." Matthew 1:21
On Wed, 20 Dec 2000, Oliver Elphick wrote: > Has anyone successfully done this? and if so, how is the documentation > quoted above inforrect? When I did my testing, I just took some cert's that I had generated through Apache's make certificate command - just don't enter a passphrase, then copy the certificate and key. Works great. -- Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli ------------------------------------------------------------------------------- http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
> > Has anyone successfully done this? and if so, how is the > documentation > > quoted above inforrect? > > When I did my testing, I just took some cert's that I had generated > through Apache's make certificate command - just don't enter > a passphrase, > then copy the certificate and key. Works great. Hmm. Those instructions worked when I wrote them - must've had an old version of OpenSSL, and they changed it. Any chance you could update the documentation to something that works? //Magnus
On Wed, 20 Dec 2000, Oliver Elphick wrote: > To create a quick self-signed certificate, use the CA.pl script > included in OpenSSL: > > CA.pl -newcert Or you can do it manually: openssl req -new -text -out cert.req (you will have to enter a password) mv privkey.pem cert.pem.pw openssl rsa -in cert.pem.pw -out cert.pem (this removes the password) openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert Matthew.
Matthew Kirkwood wrote: >On Wed, 20 Dec 2000, Oliver Elphick wrote: > >> To create a quick self-signed certificate, use the CA.pl script >> included in OpenSSL: ... >Or you can do it manually: > >openssl req -new -text -out cert.req (you will have to enter a password) >mv privkey.pem cert.pem.pw >openssl rsa -in cert.pem.pw -out cert.pem (this removes the password) >openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert then cp cert.pem $PGDATA/server.key cp cert.cert $PGDATA/server.crt Thank you; this works. I attach a documentation patch. Oliver Elphick Oliver.Elphick@lfix.co.uk Isle of Wight http://www.lfix.co.uk/oliver PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47 GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C ======================================== "For a child will be born to us, a son will be given to us; And the government will rest on His shoulders; And His name will be called Wonderful Counsellor, Mighty God, Eternal Father, Prince of Peace." Isaiah 9:6
Attachment
Applied. > Matthew Kirkwood wrote: > >On Wed, 20 Dec 2000, Oliver Elphick wrote: > > > >> To create a quick self-signed certificate, use the CA.pl script > >> included in OpenSSL: > ... > >Or you can do it manually: > > > >openssl req -new -text -out cert.req (you will have to enter a password) > >mv privkey.pem cert.pem.pw > >openssl rsa -in cert.pem.pw -out cert.pem (this removes the password) > >openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert > > then > > cp cert.pem $PGDATA/server.key > cp cert.cert $PGDATA/server.crt > > Thank you; this works. > > I attach a documentation patch. > Content-Description: ol [ Attachment, skipping... ] > Oliver Elphick Oliver.Elphick@lfix.co.uk > Isle of Wight http://www.lfix.co.uk/oliver > PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47 > GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C > ======================================== > "For a child will be born to us, a son will be given to > us; And the government will rest on His shoulders; And > His name will be called Wonderful Counsellor, Mighty > God, Eternal Father, Prince of Peace." > Isaiah 9:6 -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026