Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ebyxG-0004a0-BQ for pgsql-docs@arkaria.postgresql.org; Thu, 18 Jan 2018 01:25:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ebyxE-0005QR-AG for pgsql-docs@arkaria.postgresql.org; Thu, 18 Jan 2018 01:25:20 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ebyxD-0005Q0-VJ for pgsql-docs@lists.postgresql.org; Thu, 18 Jan 2018 01:25:20 +0000 Received: from mail-pg0-x244.google.com ([2607:f8b0:400e:c05::244]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1ebyx6-0005N0-3E for pgsql-docs@postgresql.org; Thu, 18 Jan 2018 01:25:18 +0000 Received: by mail-pg0-x244.google.com with SMTP id d6so12610234pgv.2 for ; Wed, 17 Jan 2018 17:25:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=RYeL7UJ0CIIT7kBBtlBd9FxuoMXrj1lbXajkW+pMvKs=; b=mxPi8QnjkFiKydtedjnMtb+wFsygp8UE1TN5Y77KT5ZBTWk/4lb7xaHQeQ102EmXB3 5XfvYZqEnambfFLcGWO8VHhxAludr3F2kddM6MGPfxjAhdQu2jx/ItMCxA/DetTbMWCE UXOfiSUDp+QoGeDWSJ6xWDQs/QWOCIWFPPwqlvllGDAXkcfVb2qq74bsf70nXfxPxR8P QzOeFn01hkD6YVgChnbs2isojdjbrXAJf1ArOZwu9gsu/bpa3CvfwEam3I6cCQzKGxvE Cnyh2laHOM5CDa1QnZWR5WsXBdiGcro5aS2jS0Xoy7pEhgOjkG+J84CMGYpTe+RyjOW9 nOZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=RYeL7UJ0CIIT7kBBtlBd9FxuoMXrj1lbXajkW+pMvKs=; b=nz4WgmstHsUytR/edm+Qeuk5fcFSRM1qijC0rTpSH7jCDiWQuS90v609EYRG80uBio z/J6C9gwlus5PBNjFa3mpttNeqhhhaLrx7bADCG5q4jBw1nBHeasb4zUpPjwD0RnklyD rAleH13tkr23FrGYJxiG6lZ9OWGQzH07GK95/eHzZm24QWtmt/k4nHRQ0Kw4wmZAsFeL XVYh9FuTuhP6W9Zo5qdFzOFljrrrS6SJrgydM71udr30iGztDew8QyVjolcL90ojcgiE WGl1PSOlBA8pUp5NwK3iOaQZls+Erq+Ak5fqIf4J4wiFdmkAxRzzDZnI8wHAiTxuwPyA ArAQ== X-Gm-Message-State: AKwxytdtE005MjrLHV8zmP6fA6aO7P3achQGywOOB8gP/SfqHdjJJ2d7 JUA12bUNdZIQsLFKSTSihiETCw== X-Google-Smtp-Source: ACJfBotfxL9/GaUt6NGnCPgNSJ7k4x9PCJrrDn++MFjytsc/iUuG9Viy10Y4vugZBkyCEyAtEv68MQ== X-Received: by 10.84.211.3 with SMTP id b3mr12505288pli.24.1516238710695; Wed, 17 Jan 2018 17:25:10 -0800 (PST) Received: from paquier.xyz (c137162.net61215.cablenet.ne.jp. [61.215.137.162]) by smtp.gmail.com with ESMTPSA id b11sm4917498pgu.25.2018.01.17.17.25.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Jan 2018 17:25:09 -0800 (PST) Date: Thu, 18 Jan 2018 10:25:03 +0900 From: Michael Paquier To: Bruce Momjian Cc: PostgreSQL-documentation , Stephen Frost , David Steele Subject: Re: Correction of intermediate certificate handling Message-ID: <20180118012503.GB29962@paquier.xyz> References: <20180116002238.GC12724@momjian.us> <20180116053305.GB2212@paquier.xyz> <20180116162122.GB1470@momjian.us> <20180117000950.GB935@paquier.xyz> <20180117032344.GA26285@momjian.us> <20180117082000.GA13673@paquier.xyz> <20180117123442.GB26285@momjian.us> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="GID0FwUMdk1T2AWN" Content-Disposition: inline In-Reply-To: <20180117123442.GB26285@momjian.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --GID0FwUMdk1T2AWN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 17, 2018 at 07:34:42AM -0500, Bruce Momjian wrote: > On Wed, Jan 17, 2018 at 05:20:00PM +0900, Michael Paquier wrote: > > The succession of commands of commands for the intermediate certificates > > is wild. Could it be possible to explain what each command means? Users > > would not get lost this way. >=20 > Yes, I was not happy about that either. I was afraid that pound-sign > comments would look like root prompts but I just added them and they > look fine. Updated patch attached, with some expiration and wording > adjustments. There is also a new paragraph at the end explaining where > to place the files. Thanks, that's a net improvement. So +1 for this version. + enterprise-wide root CAs) should be used in product= ion. Nit here. CA should not be plural. + + Then, sign the request with the the key to create a root certificate + authority: You still have a "the the" here. /etc/ssl/openssl.cnf is not available on macos or Windows, which can lead to a bit of confusion as I would imagine that people would copy/paste such commands when testing things. Perhaps it would be worth mentioning that this path is proper to usual Linux distributions (I can see it at least on ArchLinux and Debian), with a reference to this OpenSSL link:=20 https://www.openssl.org/docs/manmaster/man5/config.html There is as well a set of tiny configuration files in src/test/ssl. -- Michael --GID0FwUMdk1T2AWN Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAlpf928ACgkQnvQgOdby QH04rA/+Pj/bHrQoUUJSK748nQBhM5vEj0CESWRk6WP9gYl6sMSrbAWALOfAdD/H 5IaVL0QjLqA+WSgts51ao2JUiNy1ZuLR43x4h/lVbpxyTcjKqnYbLckXaXq6pCfs B8wNQJQuKlqYk5Am8y1JxeW1ov5ZesTK2quJBfxB2yGYEgpKpXPR0xd1IlxgYzf3 yJZGhHIzZem8xsYBplZY08EM/3maRy5DJg8Og6cVLz/UMKLY+UKhKm2JAZf69dI5 rKLm6gvxYXBquPkCtfw+Hja98z4sNcLAqEGHork9UsbHbcfzxSp7Yk0YQlzIJDBE FWNDYsCgwZxckwBLtg+TISS8BvrpbrH7VQdBRSmYeAnqkwThd5wuoiFIIAZHISrI gr+E4orcL1b+QUl1NZPa4DUltIfiVGPMdwQ/EjhhkUdRl/HDY4IyYe2TuzEof+7/ vBlD0IxXpMhw5oq2WIR9tyJzzNB78yqWP0bq+dNlKQxJm213CGJZCejzE5Pdin7i vd8p5YwsbXE33lxXpW4N9RXX7/uGmCNu145b6IwqgDstlmgMNDuoB36maUBSxrL2 3BpS8t6AXWWVIb+sQjjJeGSYKQljwwjTjeBzgwIAyNRLhPEU+HLDZr4ZEfjwtbUI ageN1DsdyMflvfXhv72wq1QDYBEVPhY+fHE6wFHBkouqCF8eWmg= =Ol3s -----END PGP SIGNATURE----- --GID0FwUMdk1T2AWN--