public inbox for [email protected]
help / color / mirror / Atom feedFrom: Bruce Momjian <[email protected]>
To: Tatsuo Ishii <[email protected]>
Cc: [email protected]
Subject: Re: Creating Certificates
Date: Sat, 13 Oct 2018 14:38:24 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
On Sat, Oct 6, 2018 at 08:17:04AM +0900, Tatsuo Ishii wrote:
> In "18.9.3. Creating Certificates",
>
> ------------------------------------------------------------------
> To create a server certificate whose identity can be validated by
> clients, first create a certificate signing request (CSR) and a
> public/private key file:
>
> openssl req -new -nodes -text -out root.csr \
> -keyout root.key -subj "/CN=root.yourdomain.com"
> chmod og-rwx root.key
>
> Then, sign the request with the key to create a root certificate
> authority (using the default OpenSSL configuration file location on
> Linux):
>
> openssl x509 -req -in root.csr -text -days 3650 \
> -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
> -signkey root.key -out root.crt
> ------------------------------------------------------------------
>
> For me it seesm the two-step procedure can be replaced with following
> one command:
>
> openssl req -new -x509 -nodes -text -days 3650 \
> -config /etc/ssl/openssl.cnf -extensions v3_ca \
> -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com"
>
> Is there any reason why our doc recommend the two-step procedure?
This was changed as part of this commit:
commit 815f84aa166de294b80e80cc456b79128592720e
Author: Bruce Momjian <[email protected]>
Date: Sat Jan 20 21:47:02 2018 -0500
doc: update intermediate certificate instructions
Document how to properly create root and intermediate certificates using
v3_ca extensions and where to place intermediate certificates so they
are properly transferred to the remote side with the leaf certificate to
link to the remote root certificate. This corrects docs that used to
say that intermediate certificates must be stored with the root
certificate.
Also add instructions on how to create root, intermediate, and leaf
certificates.
Discussion: https://postgr.es/m/[email protected]
Reviewed-by: Michael Paquier
Backpatch-through: 9.3
The reason I did this in two steps was so I could explain each step
independently, and because the next paragraph, "create a server
certificate signed by the new root certificate authority", also requires
two steps. My goal was that the first command in each example creates
the CSR and public key pair, and the second command signs it. If the
first example uses only one command, and the second example needs to use
two commands, and it appears more complex.
I guess we could show the single-command example as an alternative, but
that seems more complex too.
--
Bruce Momjian <[email protected]> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
view thread (9+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: Creating Certificates
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox