Received: from malur.postgresql.org ([2a02:16a8:dc51::56]) by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1gCFQN-0002Le-HG for pgsql-hackers@arkaria.postgresql.org; Tue, 16 Oct 2018 02:49:35 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.89) (envelope-from ) id 1gCFQL-0000A2-Vz for pgsql-hackers@arkaria.postgresql.org; Tue, 16 Oct 2018 02:49:33 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1gCFQL-00009v-Lx for pgsql-hackers@lists.postgresql.org; Tue, 16 Oct 2018 02:49:33 +0000 Received: from momjian.us ([72.94.173.45]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1gCFQI-0000mV-Pp for pgsql-hackers@postgresql.org; Tue, 16 Oct 2018 02:49:32 +0000 Received: from bruce by momjian.us with local (Exim 4.84_2) (envelope-from ) id 1gCFQH-0006BX-9n; Mon, 15 Oct 2018 22:49:29 -0400 Date: Mon, 15 Oct 2018 22:49:29 -0400 From: Bruce Momjian To: Tatsuo Ishii Cc: andrew.dunstan@2ndquadrant.com, pgsql-hackers@postgresql.org Subject: Re: Creating Certificates Message-ID: <20181016024929.GA31154@momjian.us> References: <20181006.081704.1372328430253415862.t-ishii@sraoss.co.jp> <20181006.184654.1746720307918096466.t-ishii@sraoss.co.jp> <6ed0ecd3-c815-8aae-46f0-1a992d9cf381@2ndQuadrant.com> <20181016.114553.1868483927391308309.t-ishii@sraoss.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181016.114553.1868483927391308309.t-ishii@sraoss.co.jp> User-Agent: Mutt/1.5.23 (2014-03-12) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk On Tue, Oct 16, 2018 at 11:45:53AM +0900, Tatsuo Ishii wrote: > > I'm not opposed to simplifying the instructions, however. > > Ok, attached is a proposal to simplify the instructions. I am against this simplification for the reasons I stated in this thread. --------------------------------------------------------------------------- > > Best regards, > -- > Tatsuo Ishii > SRA OSS, Inc. Japan > English: http://www.sraoss.co.jp/index_en.php > Japanese:http://www.sraoss.co.jp > diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml > index 8d9d40664b..23f080eeab 100644 > --- a/doc/src/sgml/runtime.sgml > +++ b/doc/src/sgml/runtime.sgml > @@ -2426,21 +2426,15 @@ chmod og-rwx server.key > > > > - To create a server certificate whose identity can be validated > - by clients, first create a certificate signing request > - (CSR) and a public/private key file: > + To create a server certificate whose identity can be validated by > + clients, create a root certificate authority (using the > + default OpenSSL configuration file location > + on Linux): > > -openssl req -new -nodes -text -out root.csr \ > - -keyout root.key -subj "/CN=root.yourdomain.com" > +openssl req -new -x509 -nodes -text -days 3650 \ > + -config /etc/ssl/openssl.cnf -extensions v3_ca \ > + -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com" > chmod og-rwx root.key > - > - Then, sign the request with the key to create a root certificate > - authority (using the default OpenSSL > - configuration file location on Linux): > - > -openssl x509 -req -in root.csr -text -days 3650 \ > - -extfile /etc/ssl/openssl.cnf -extensions v3_ca \ > - -signkey root.key -out root.crt > > Finally, create a server certificate signed by the new root certificate > authority: -- Bruce Momjian http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +