Received: from malur.postgresql.org ([2a02:16a8:dc51::56])
	by arkaria.postgresql.org with esmtps
 (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.89)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1gCFMz-00029d-ND
	for pgsql-hackers@arkaria.postgresql.org; Tue, 16 Oct 2018 02:46:05 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.89)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1gCFMx-0006hO-Qs
	for pgsql-hackers@arkaria.postgresql.org; Tue, 16 Oct 2018 02:46:03 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.89)
	(envelope-from <ishii@sraoss.co.jp>)
	id 1gCFMx-0006hH-Jt
	for pgsql-hackers@lists.postgresql.org; Tue, 16 Oct 2018 02:46:03 +0000
Received: from sraihb2.sra.co.jp ([202.32.10.6])
	by magus.postgresql.org with esmtp (Exim 4.89)
	(envelope-from <ishii@sraoss.co.jp>)
	id 1gCFMu-0003Kh-Rh
	for pgsql-hackers@postgresql.org; Tue, 16 Oct 2018 02:46:03 +0000
Received: from srascf.sra.co.jp (srascf [133.137.8.80])
	by sraihb2.sra.co.jp (Postfix) with ESMTP id 5C4FE2A41F1
	for <pgsql-hackers@postgresql.org>; Tue, 16 Oct 2018 11:45:58 +0900 (JST)
Received: from srascb.sra.co.jp (unknown [133.137.8.65]) by srascf.sra.co.jp
 with smtp
	 id 542d_2569_b4cdeca9_0378_4e5d_91e8_0d32ea44b338;
	Tue, 16 Oct 2018 11:45:57 +0900
Received: from sranhm.sra.co.jp (osspc25 [133.137.174.97])
	by srascb.sra.co.jp (Postfix) with ESMTP id 348262D6942
	for <pgsql-hackers@postgresql.org>; Tue, 16 Oct 2018 11:45:58 +0900 (JST)
Received: from localhost (dhcp-175-133.sra.co.jp [133.137.175.133])
	by sranhm.sra.co.jp (Postfix) with ESMTP id E3587A088B;
	Tue, 16 Oct 2018 11:45:57 +0900 (JST)
Date: Tue, 16 Oct 2018 11:45:53 +0900 (JST)
Message-Id: <20181016.114553.1868483927391308309.t-ishii@sraoss.co.jp>
To: andrew.dunstan@2ndquadrant.com
Cc: pgsql-hackers@postgresql.org
Subject: Re: Creating Certificates
From: Tatsuo Ishii <ishii@sraoss.co.jp>
In-Reply-To: <6ed0ecd3-c815-8aae-46f0-1a992d9cf381@2ndQuadrant.com>
References: <20181006.081704.1372328430253415862.t-ishii@sraoss.co.jp>
	<20181006.184654.1746720307918096466.t-ishii@sraoss.co.jp>
	<6ed0ecd3-c815-8aae-46f0-1a992d9cf381@2ndQuadrant.com>
X-Mailer: Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Tue_Oct_16_11_45_53_2018_638)--"
Content-Transfer-Encoding: 7bit
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Precedence: bulk

----Next_Part(Tue_Oct_16_11_45_53_2018_638)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

> I'm not opposed to simplifying the instructions, however.

Ok, attached is a proposal to simplify the instructions.

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp

----Next_Part(Tue_Oct_16_11_45_53_2018_638)--
Content-Type: Text/X-Patch; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="creating-certificates.diff"

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 8d9d40664b..23f080eeab 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2426,21 +2426,15 @@ chmod og-rwx server.key
    </para>
 
    <para>
-    To create a server certificate whose identity can be validated
-    by clients, first create a certificate signing request
-    (<acronym>CSR</acronym>) and a public/private key file:
+    To create a server certificate whose identity can be validated by
+    clients, create a root certificate authority (using the
+    default <productname>OpenSSL</productname> configuration file location
+    on <productname>Linux</productname>):
 <programlisting>
-openssl req -new -nodes -text -out root.csr \
-  -keyout root.key -subj "/CN=<replaceable>root.yourdomain.com</replaceable>"
+openssl req -new -x509 -nodes -text -days 3650 \
+  -config /etc/ssl/openssl.cnf -extensions v3_ca \
+  -out root.crt -keyout root.key -subj "/CN=<replaceable>root.yourdomain.com</replaceable>"
 chmod og-rwx root.key
-</programlisting>
-    Then, sign the request with the key to create a root certificate
-    authority (using the default <productname>OpenSSL</productname>
-    configuration file location on <productname>Linux</productname>):
-<programlisting>
-openssl x509 -req -in root.csr -text -days 3650 \
-  -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
-  -signkey root.key -out root.crt
 </programlisting>
     Finally, create a server certificate signed by the new root certificate
     authority:

----Next_Part(Tue_Oct_16_11_45_53_2018_638)----