Re: Self-signed certificate instructions

On Mon, Apr 17, 2017 at 03:43:09PM -0400, Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > I think the reason we have those cumbersome instructions is that there
> > is no way to create a non-expireable certificate using simpler
> > instructions.
>
> Um ... but the current instructions don't address that either.

Uh, I thought the instructions were needed for non-expiration, but I now
remember it was to allow for non-password keys, but now I see it is not
needed, so +1 for making the simplification.

> > I would like to revisit these instructions, as well as document how to
> > create intermediate certificates. I have scripts that do that.
>
> I don't think we should try to teach people how to use openssl.
> A quick example of setting up a dummy certificate for testing is fine,
> but going much beyond that is not our turf.

We had an open item for years about people complaining that the client
required the entire chain to the root (and our documention currently
mentions that requirement), but it turns out this is only necessary if
you don't create the intermediate certificates with the proper
certificate flag, e.g. -extensions v3_ca. I will generate a patch that
at least mentions that requirement.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +