Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from <pgsql-docs-owner+archive@lists.postgresql.org>)
	id 1ebixC-0002Gb-W0
	for pgsql-docs@arkaria.postgresql.org; Wed, 17 Jan 2018 08:20:15 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from <pgsql-docs-owner+archive@lists.postgresql.org>)
	id 1ebixC-0005qX-DG
	for pgsql-docs@arkaria.postgresql.org; Wed, 17 Jan 2018 08:20:14 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.84_2)
	(envelope-from <michael.paquier@gmail.com>)
	id 1ebixC-0005qA-4R
	for pgsql-docs@lists.postgresql.org; Wed, 17 Jan 2018 08:20:14 +0000
Received: from mail-io0-x243.google.com ([2607:f8b0:4001:c06::243])
	by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <michael.paquier@gmail.com>)
	id 1ebix8-0000H0-1o
	for pgsql-docs@postgresql.org; Wed, 17 Jan 2018 08:20:13 +0000
Received: by mail-io0-x243.google.com with SMTP id b198so17233780iof.6
        for <pgsql-docs@postgresql.org>; Wed, 17 Jan 2018 00:20:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=DUF+NnAXdIxZxtu+GcMePbcTxUiKej/iYvrZAVPvRqs=;
        b=m6a9F8TBwZVqk8uJwuRErNPxpMkY7PcuXFzJhqA8yihV4xIipKwUvoRYjg7Vqlh7fc
         iv0jDTONW/pzBihn0KxBhI2U0FlKZf3zMtfYCJ4ZzFIt6+SYZOF4ZF19ZfqHCwl8f+Gn
         h+Qq/rv4Vdonx+my7s3v98yyvFsn6pI9fdMuUh7jtdvN8bB0EMFggEDxPj7xv/hLgBAf
         lYB0O3i3ihaJ1siad+FqjcjKnu6U92PzQwoZO3A0lWAtMksb1wu/ysVHiS5r8ytrEo/Q
         dNAst84r3CbaP5m5sKrxEWp2h+aZVrDrp/HH3fXIv92ckD0ODQgudLlxw99lRcCMB68t
         XeIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=DUF+NnAXdIxZxtu+GcMePbcTxUiKej/iYvrZAVPvRqs=;
        b=SyOQKhrGQBzYYnQTkBJ8kHzmkJ1/Y0+koz8KYaei9FzJ2PwXTtzMQSP2bROMNm3hj+
         ZpA7MZCsC5eyTmKisMt4tX/+4zs2geTjD/zGyFu/3WbmnsiR7WoQjGOHoBO6Q090MoSy
         J1KpZsF/1g4TxaVf7Ir0WD1kKL5nzbYhWUtD0/OojeAWNd0pPTZaS2w/5rmmlyAnsThD
         u90LCNlMhQ9kQXDj2PEbsu67OGiIcCxGyGSpgApmwJHEAVJ1oII5CclDhXv7+29nMJdB
         zL5781hnpqp4zaaf+zvRsVtygOx40s6+5nUEceP69jJEg1TkDP9mC8pANF1w+neZaAkJ
         0FZQ==
X-Gm-Message-State: AKwxytfSnoqcrtwohWWb9fteA3AIRst+BYF4jtrb38fwOg5Xbi+wYTtZ
	juoMH+Xu/xs73Bjm4N/2F2ds8A==
X-Google-Smtp-Source: 
 ACJfBovP9FlC/E18yx1EAIL1MIePiZp3yVfnRnt8PIIqlrJ1n3IRVEyh/Mz1DHS9a91Cq9foHbPM/A==
X-Received: by 10.107.101.24 with SMTP id z24mr16491291iob.142.1516177207647;
        Wed, 17 Jan 2018 00:20:07 -0800 (PST)
Received: from paquier.xyz (c137162.net61215.cablenet.ne.jp. [61.215.137.162])
        by smtp.gmail.com with ESMTPSA id
 e20sm2131469ioe.13.2018.01.17.00.20.03
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 17 Jan 2018 00:20:06 -0800 (PST)
Date: Wed, 17 Jan 2018 17:20:00 +0900
From: Michael Paquier <michael.paquier@gmail.com>
To: Bruce Momjian <bruce@momjian.us>
Cc: PostgreSQL-documentation <pgsql-docs@postgresql.org>,
	Stephen Frost <sfrost@snowman.net>,
	David Steele <david@pgmasters.net>
Subject: Re: Correction of intermediate certificate handling
Message-ID: <20180117082000.GA13673@paquier.xyz>
References: <20180116002238.GC12724@momjian.us>
 <20180116053305.GB2212@paquier.xyz>
 <20180116162122.GB1470@momjian.us>
 <20180117000950.GB935@paquier.xyz>
 <20180117032344.GA26285@momjian.us>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD"
Content-Disposition: inline
In-Reply-To: <20180117032344.GA26285@momjian.us>
List-Id: <pgsql-docs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-docs@lists.postgresql.org>
List-Owner: <mailto:pgsql-docs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-docs>
Precedence: bulk


--HlL+5n6rz5pIUxbD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 16, 2018 at 10:23:44PM -0500, Bruce Momjian wrote:
> On Wed, Jan 17, 2018 at 09:09:50AM +0900, Michael Paquier wrote:
> > On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> > > On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
>=20
> I ended up merging the "chain of trust" changes into the "intermediate"
> patch since they affect adjacent sections of the docs.  You can see this
> as the first attached patch.

Thanks. I looked at crt.diff and the surroundings in the docs. This one
looks consistent to me.

> > > > Perhaps the docs could also include an example of command to create=
 a
> > > > root and an intermediate certificate in runtime.sgml or such?
> > >=20
> > > Yes, I have thought about that.  My presentation has clear examples t=
hat
> > > we can use, again based on Stephen and David's scripts using v3_ca.  I
> > > will work up a possible patch for that too.
> >=20
> > That too.
>=20
> I did that as a separate patch, which is the second attachment.

This is openssl.diff.

+    Then, sign the request with the the private key to create a root
+certificate authority:
s/the the/the/

+<programlisting>
+openssl req -new -nodes -text -out root.csr \
+  -keyout root.key -subj "/CN=3D<replaceable>root.yourdomain.com</replacea=
ble>"
+chmod og-rwx root.key
+openssl x509 -req -in root.csr -text -days 365 \
+  -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
+  -signkey root.key -out root.crt
The succession of commands of commands for the intermediate certificates
is wild. Could it be possible to explain what each command means? Users
would not get lost this way.

> I don't think I will work on the testing changes.

Fine for me. This could do for a fine TODO item. Not one of those hard,
complicated and basically impossible things on the TODO list.
--
Michael

--HlL+5n6rz5pIUxbD
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAlpfBzAACgkQnvQgOdby
QH1Diw/+JEof5VDW3vIOwm8CmTpo2l4J4lh3LYVFvsNKDW91nphpLRhxtuFI4yWd
NGRs0yrF+oCloQiMvvaa/UUxiui9AiFwNBKGoTArLkOvGj1Cl57vCc+sVC0VFrVS
wyx95jRhCoywz3tSo7eo985B9C4yvVeLEK3mXdIZMvpzMr0PwlhR0MDHInGyWiey
zpb0ate8to+HKOQ9/toAA5qggCQLP1TfthtyF4ZxgNgv5SNWEzMViIywm4XAAi0R
qolERbsThOHb7dvgVxle3sDy14P+2+hpkFxwYTpf7ir3XHRgs9Q71EwGKQ2LTn5d
n5n7Her0h+xr8cOOXp1EQH/x7+yiOXxkZk0xdfq5O7fNYjuR3dkv72UeTK2vpYEj
2Me044BK99BeVZjNsVD7VuAfBUcOyOE80kPRt36zA9bC9tf/VBvzVavVYkFFl4pJ
h9SnYCrlnhTBK/abxzMzRAsS1ln9amY9z1j6ShswTBYEykHJ4KCiQRUq8Ss5Qzrv
AIAEm0sns4hbbIasYGawEMLO7B/p9eTSbmCIxzaiTaglC0OiDTkuHVwEWSyBl5b0
qphb5vmTgnenqCK/3IeS2eaNkS0UEb+/ZmiBt8luQ2rLsS94YmHyjgcLkBAwdyx7
BHJd0hyjy4Pe4644Gd5cibHUZ7c175SUFU6BnHJncXzHIHqXXc8=
=ZiyW
-----END PGP SIGNATURE-----

--HlL+5n6rz5pIUxbD--