Received: from malur.postgresql.org ([2a02:16a8:dc51::56]) by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1g8ZLO-0003Fc-69 for pgsql-docs@arkaria.postgresql.org; Fri, 05 Oct 2018 23:17:14 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.89) (envelope-from ) id 1g8ZLL-00029x-A7 for pgsql-docs@arkaria.postgresql.org; Fri, 05 Oct 2018 23:17:11 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1g8ZLK-00029q-Ty for pgsql-docs@lists.postgresql.org; Fri, 05 Oct 2018 23:17:11 +0000 Received: from sraihb2.sra.co.jp ([202.32.10.6]) by makus.postgresql.org with esmtp (Exim 4.89) (envelope-from ) id 1g8ZLG-0001iN-NL for pgsql-docs@postgresql.org; Fri, 05 Oct 2018 23:17:08 +0000 Received: from srascf.sra.co.jp (srascf [133.137.8.80]) by sraihb2.sra.co.jp (Postfix) with ESMTP id 95AF32A15E5 for ; Sat, 6 Oct 2018 08:17:04 +0900 (JST) Received: from srascb.sra.co.jp (unknown [133.137.8.65]) by srascf.sra.co.jp with smtp id 7836_0024_98d786fa_d814_4a4f_b727_5788c896c26a; Sat, 06 Oct 2018 08:17:04 +0900 Received: from sranhm.sra.co.jp (osspc25 [133.137.174.97]) by srascb.sra.co.jp (Postfix) with ESMTP id 76FF02D6942 for ; Sat, 6 Oct 2018 08:17:04 +0900 (JST) Received: from localhost (sraihb-hub.sra.co.jp [133.137.8.6]) by sranhm.sra.co.jp (Postfix) with ESMTP id 4FFD0A10D7 for ; Sat, 6 Oct 2018 08:17:04 +0900 (JST) Date: Sat, 06 Oct 2018 08:17:04 +0900 (JST) Message-Id: <20181006.081704.1372328430253415862.t-ishii@sraoss.co.jp> To: pgsql-docs@postgresql.org Subject: Creating Certificates From: Tatsuo Ishii X-Mailer: Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk In "18.9.3. Creating Certificates", ------------------------------------------------------------------ To create a server certificate whose identity can be validated by clients, first create a certificate signing request (CSR) and a public/private key file: openssl req -new -nodes -text -out root.csr \ -keyout root.key -subj "/CN=root.yourdomain.com" chmod og-rwx root.key Then, sign the request with the key to create a root certificate authority (using the default OpenSSL configuration file location on Linux): openssl x509 -req -in root.csr -text -days 3650 \ -extfile /etc/ssl/openssl.cnf -extensions v3_ca \ -signkey root.key -out root.crt ------------------------------------------------------------------ For me it seesm the two-step procedure can be replaced with following one command: openssl req -new -x509 -nodes -text -days 3650 \ -config /etc/ssl/openssl.cnf -extensions v3_ca \ -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com" Is there any reaon why our doc recommend the two-step procedure? Best regards, -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese:http://www.sraoss.co.jp