Received: from malur.postgresql.org ([2a02:16a8:dc51::56])
	by arkaria.postgresql.org with esmtps
 (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.89)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1g8jB0-0000nN-E7
	for pgsql-hackers@arkaria.postgresql.org; Sat, 06 Oct 2018 09:47:10 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.89)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1g8jAv-0003fV-7W
	for pgsql-hackers@arkaria.postgresql.org; Sat, 06 Oct 2018 09:47:05 +0000
Received: from makus.postgresql.org ([2001:4800:1501:1::229])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.89)
	(envelope-from <ishii@sraoss.co.jp>)
	id 1g8jAu-0003fN-P4
	for pgsql-hackers@lists.postgresql.org; Sat, 06 Oct 2018 09:47:04 +0000
Received: from sraihb2.sra.co.jp ([202.32.10.6])
	by makus.postgresql.org with esmtp (Exim 4.89)
	(envelope-from <ishii@sraoss.co.jp>)
	id 1g8jAm-0006po-Th
	for pgsql-hackers@postgresql.org; Sat, 06 Oct 2018 09:47:03 +0000
Received: from srascf.sra.co.jp (srascf [133.137.8.80])
	by sraihb2.sra.co.jp (Postfix) with ESMTP id 7EB402A15EF
	for <pgsql-hackers@postgresql.org>; Sat,  6 Oct 2018 18:46:54 +0900 (JST)
Received: from srascb.sra.co.jp (unknown [133.137.8.65]) by srascf.sra.co.jp
 with smtp
	 id 2e8c_04bf_376527f8_30bc_4eb2_aabf_0ec07b54d7bc;
	Sat, 06 Oct 2018 18:46:53 +0900
Received: from sranhm.sra.co.jp (osspc25 [133.137.174.97])
	by srascb.sra.co.jp (Postfix) with ESMTP id 509B22D6942
	for <pgsql-hackers@postgresql.org>; Sat,  6 Oct 2018 18:46:54 +0900 (JST)
Received: from localhost (sraihb-hub.sra.co.jp [133.137.8.6])
	by sranhm.sra.co.jp (Postfix) with ESMTP id 2D33BA10D7
	for <pgsql-hackers@postgresql.org>; Sat,  6 Oct 2018 18:46:54 +0900 (JST)
Date: Sat, 06 Oct 2018 18:46:54 +0900 (JST)
Message-Id: <20181006.184654.1746720307918096466.t-ishii@sraoss.co.jp>
To: pgsql-hackers@postgresql.org
Subject: Re: Creating Certificates
From: Tatsuo Ishii <ishii@sraoss.co.jp>
In-Reply-To: <20181006.081704.1372328430253415862.t-ishii@sraoss.co.jp>
References: <20181006.081704.1372328430253415862.t-ishii@sraoss.co.jp>
X-Mailer: Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Precedence: bulk

After sending below to pgsql-docs, I noticed if I follow the step
described in the doc[1], generated root.crt lacks below.

        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                3B:16:EA:86:0B:7C:E4:7A:16:F2:4E:54:F5:9C:0E:0F:38:02:8C:CF
            X509v3 Authority Key Identifier: 
                keyid:3B:16:EA:86:0B:7C:E4:7A:16:F2:4E:54:F5:9C:0E:0F:38:02:8C:CF

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption

This is present if I use command[2]:
> openssl req -new -x509 -nodes -text -days 3650 \
>   -config /etc/ssl/openssl.cnf -extensions v3_ca \
>   -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com"

I wonder if this is normal or not.

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp

From: Tatsuo Ishii <ishii@sraoss.co.jp>
Subject: Creating Certificates
Date: Sat, 06 Oct 2018 08:17:04 +0900 (JST)
Message-ID: <20181006.081704.1372328430253415862.t-ishii@sraoss.co.jp>

> In "18.9.3. Creating Certificates",
> 
> ------------------------------------------------------------------
[1]
> To create a server certificate whose identity can be validated by
> clients, first create a certificate signing request (CSR) and a
> public/private key file:
> 
> openssl req -new -nodes -text -out root.csr \
>   -keyout root.key -subj "/CN=root.yourdomain.com"
> chmod og-rwx root.key
> 
> Then, sign the request with the key to create a root certificate
> authority (using the default OpenSSL configuration file location on
> Linux):
> 
> openssl x509 -req -in root.csr -text -days 3650 \
>   -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
>   -signkey root.key -out root.crt
> ------------------------------------------------------------------
> 
> For me it seesm the two-step procedure can be replaced with following
> one command:
> 
[2]
> openssl req -new -x509 -nodes -text -days 3650 \
>   -config /etc/ssl/openssl.cnf -extensions v3_ca \
>   -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com"
> 
> Is there any reaon why our doc recommend the two-step procedure?
> 
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp
>