Quick Links

Re: Creating Certificates

From:	Bruce Momjian <bruce(at)momjian(dot)us>
To:	Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp>
Cc:	andrew(dot)dunstan(at)2ndquadrant(dot)com, pgsql-hackers(at)postgresql(dot)org
Subject:	Re: Creating Certificates
Date:	2018-10-16 02:49:29
Message-ID:	20181016024929.GA31154@momjian.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-docs pgsql-hackers

On Tue, Oct 16, 2018 at 11:45:53AM +0900, Tatsuo Ishii wrote:
> > I'm not opposed to simplifying the instructions, however.
>
> Ok, attached is a proposal to simplify the instructions.

I am against this simplification for the reasons I stated in this
thread.

---------------------------------------------------------------------------

>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp

> diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
> index 8d9d40664b..23f080eeab 100644
> --- a/doc/src/sgml/runtime.sgml
> +++ b/doc/src/sgml/runtime.sgml
> @@ -2426,21 +2426,15 @@ chmod og-rwx server.key
> </para>
>
> <para>
> - To create a server certificate whose identity can be validated
> - by clients, first create a certificate signing request
> - (<acronym>CSR</acronym>) and a public/private key file:
> + To create a server certificate whose identity can be validated by
> + clients, create a root certificate authority (using the
> + default <productname>OpenSSL</productname> configuration file location
> + on <productname>Linux</productname>):
> <programlisting>
> -openssl req -new -nodes -text -out root.csr \
> - -keyout root.key -subj "/CN=<replaceable>root.yourdomain.com</replaceable>"
> +openssl req -new -x509 -nodes -text -days 3650 \
> + -config /etc/ssl/openssl.cnf -extensions v3_ca \
> + -out root.crt -keyout root.key -subj "/CN=<replaceable>root.yourdomain.com</replaceable>"
> chmod og-rwx root.key
> -</programlisting>
> - Then, sign the request with the key to create a root certificate
> - authority (using the default <productname>OpenSSL</productname>
> - configuration file location on <productname>Linux</productname>):
> -<programlisting>
> -openssl x509 -req -in root.csr -text -days 3650 \
> - -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
> - -signkey root.key -out root.crt
> </programlisting>
> Finally, create a server certificate signed by the new root certificate
> authority:

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +

In response to

Re: Creating Certificates at 2018-10-16 02:45:53 from Tatsuo Ishii

Responses

Re: Creating Certificates at 2018-10-16 12:02:48 from Magnus Hagander

Browse pgsql-docs by date

	From	Date	Subject
Next Message	PG Doc comments form	2018-10-16 06:15:08	type point
Previous Message	Tatsuo Ishii	2018-10-16 02:45:53	Re: Creating Certificates

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Haribabu Kommi	2018-10-16 02:59:21	Re: Pluggable Storage - Andres's take
Previous Message	Tatsuo Ishii	2018-10-16 02:45:53	Re: Creating Certificates