| From: | Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Creating Certificates |
| Date: | 2018-10-06 09:46:54 |
| Message-ID: | 20181006.184654.1746720307918096466.t-ishii@sraoss.co.jp |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs pgsql-hackers |
After sending below to pgsql-docs, I noticed if I follow the step
described in the doc[1], generated root.crt lacks below.
X509v3 extensions:
X509v3 Subject Key Identifier:
3B:16:EA:86:0B:7C:E4:7A:16:F2:4E:54:F5:9C:0E:0F:38:02:8C:CF
X509v3 Authority Key Identifier:
keyid:3B:16:EA:86:0B:7C:E4:7A:16:F2:4E:54:F5:9C:0E:0F:38:02:8C:CF
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
This is present if I use command[2]:
> openssl req -new -x509 -nodes -text -days 3650 \
> -config /etc/ssl/openssl.cnf -extensions v3_ca \
> -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com"
I wonder if this is normal or not.
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
From: Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp>
Subject: Creating Certificates
Date: Sat, 06 Oct 2018 08:17:04 +0900 (JST)
Message-ID: <20181006(dot)081704(dot)1372328430253415862(dot)t-ishii(at)sraoss(dot)co(dot)jp>
> In "18.9.3. Creating Certificates",
>
> ------------------------------------------------------------------
[1]
> To create a server certificate whose identity can be validated by
> clients, first create a certificate signing request (CSR) and a
> public/private key file:
>
> openssl req -new -nodes -text -out root.csr \
> -keyout root.key -subj "/CN=root.yourdomain.com"
> chmod og-rwx root.key
>
> Then, sign the request with the key to create a root certificate
> authority (using the default OpenSSL configuration file location on
> Linux):
>
> openssl x509 -req -in root.csr -text -days 3650 \
> -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
> -signkey root.key -out root.crt
> ------------------------------------------------------------------
>
> For me it seesm the two-step procedure can be replaced with following
> one command:
>
[2]
> openssl req -new -x509 -nodes -text -days 3650 \
> -config /etc/ssl/openssl.cnf -extensions v3_ca \
> -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com"
>
> Is there any reaon why our doc recommend the two-step procedure?
>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2018-10-06 14:47:30 | Re: Creating Certificates |
| Previous Message | Tatsuo Ishii | 2018-10-05 23:17:04 | Creating Certificates |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dean Rasheed | 2018-10-06 10:58:11 | Re: BUG #15307: Low numerical precision of (Co-) Variance |
| Previous Message | Michael Paquier | 2018-10-06 06:26:31 | Re: partition tree inspection functions |