Thread

Commits

  1. Simplify docs on creating a self-signed SSL certificate

  1. Self-signed certificate instructions

    Andrew Dunstan <andrew.dunstan@2ndquadrant.com> — 2017-04-15T13:58:15Z

    The instructions on how to create a self-signed certificate in s 18.9.3
    of the docs seem unduly cumbersome. AFAICT we could replace all the
    commands (except the chmod) with something like this:
    
        |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\
        -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"|
    
    Is there any reason for sticking with the current instructions?
    
    cheers
    
    andrew
    
    -- 
    Andrew Dunstan                https://www.2ndQuadrant.com
    PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
    
    
    
    
  2. Re: Self-signed certificate instructions

    Andrew Dunstan <andrew.dunstan@2ndquadrant.com> — 2017-04-15T15:17:14Z

    
    On 04/15/2017 09:58 AM, Andrew Dunstan wrote:
    > The instructions on how to create a self-signed certificate in s 18.9.3
    > of the docs seem unduly cumbersome. AFAICT we could replace all the
    > commands (except the chmod) with something like this:
    >
    >     |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\
    >     -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"|
    >
    > Is there any reason for sticking with the current instructions?
    >
    
    Argh. Darn Thunderbird. This should of course be:
    
    
        openssl req -new-x509 -days 365-nodes \
        	-text -out server.crt \
        	-keyout server.key \
        	-subj  "/C=XY/CN=yourdomain.name"
    
    
    cheers
    
    andrew
    
    -- 
    Andrew Dunstan                https://www.2ndQuadrant.com
    PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
    
    
    
    
  3. Re: Self-signed certificate instructions

    Tom Lane <tgl@sss.pgh.pa.us> — 2017-04-15T17:54:36Z

    Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
    > The instructions on how to create a self-signed certificate in s 18.9.3
    > of the docs seem unduly cumbersome.
    
    Yeah, I noticed that they seemed unnecessarily manual.  +1 for
    simplifying.
    
    			regards, tom lane
    
    
    
  4. Re: Self-signed certificate instructions

    Magnus Hagander <magnus@hagander.net> — 2017-04-15T18:11:21Z

    On Sat, Apr 15, 2017 at 7:54 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    
    > Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
    > > The instructions on how to create a self-signed certificate in s 18.9.3
    > > of the docs seem unduly cumbersome.
    >
    > Yeah, I noticed that they seemed unnecessarily manual.  +1 for
    > simplifying.
    >
    
    Seems reasonable, +1 for simplifications.
    
    -- 
     Magnus Hagander
     Me: https://www.hagander.net/ <http://www.hagander.net/>
     Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
    
  5. Re: Self-signed certificate instructions

    Bruce Momjian <bruce@momjian.us> — 2017-04-17T18:19:00Z

    On Sat, Apr 15, 2017 at 11:17:14AM -0400, Andrew Dunstan wrote:
    > 
    > 
    > On 04/15/2017 09:58 AM, Andrew Dunstan wrote:
    > > The instructions on how to create a self-signed certificate in s 18.9.3
    > > of the docs seem unduly cumbersome. AFAICT we could replace all the
    > > commands (except the chmod) with something like this:
    > >
    > >     |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\
    > >     -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"|
    > >
    > > Is there any reason for sticking with the current instructions?
    > >
    > 
    > Argh. Darn Thunderbird. This should of course be:
    > 
    > 
    >     openssl req -new-x509 -days 365-nodes \
                                      ^^^^^^^^^
    
    I think you meant "-days 365 -nodes" here.
    
    I think the reason we have those cumbersome instructions is that there
    is no way to create a non-expireable certificate using simpler
    instructions.
    
    I would like to revisit these instructions, as well as document how to
    create intermediate certificates.  I have scripts that do that.
    
    -- 
      Bruce Momjian  <bruce@momjian.us>        http://momjian.us
      EnterpriseDB                             http://enterprisedb.com
    
    + As you are, so once was I.  As I am, so you will be. +
    +                      Ancient Roman grave inscription +
    
    
    
  6. Re: Self-signed certificate instructions

    Tom Lane <tgl@sss.pgh.pa.us> — 2017-04-17T19:43:09Z

    Bruce Momjian <bruce@momjian.us> writes:
    > I think the reason we have those cumbersome instructions is that there
    > is no way to create a non-expireable certificate using simpler
    > instructions.
    
    Um ... but the current instructions don't address that either.
    
    > I would like to revisit these instructions, as well as document how to
    > create intermediate certificates.  I have scripts that do that.
    
    I don't think we should try to teach people how to use openssl.
    A quick example of setting up a dummy certificate for testing is fine,
    but going much beyond that is not our turf.
    
    			regards, tom lane
    
    
    
  7. Re: Self-signed certificate instructions

    Bruce Momjian <bruce@momjian.us> — 2017-04-17T20:09:28Z

    On Mon, Apr 17, 2017 at 03:43:09PM -0400, Tom Lane wrote:
    > Bruce Momjian <bruce@momjian.us> writes:
    > > I think the reason we have those cumbersome instructions is that there
    > > is no way to create a non-expireable certificate using simpler
    > > instructions.
    > 
    > Um ... but the current instructions don't address that either.
    
    Uh, I thought the instructions were needed for non-expiration, but I now
    remember it was to allow for non-password keys, but now I see it is not
    needed, so +1 for making the simplification.
    
    > > I would like to revisit these instructions, as well as document how to
    > > create intermediate certificates.  I have scripts that do that.
    > 
    > I don't think we should try to teach people how to use openssl.
    > A quick example of setting up a dummy certificate for testing is fine,
    > but going much beyond that is not our turf.
    
    We had an open item for years about people complaining that the client
    required the entire chain to the root (and our documention currently
    mentions that requirement), but it turns out this is only necessary if
    you don't create the intermediate certificates with the proper
    certificate flag, e.g. -extensions v3_ca.  I will generate a patch that
    at least mentions that requirement.
    
    -- 
      Bruce Momjian  <bruce@momjian.us>        http://momjian.us
      EnterpriseDB                             http://enterprisedb.com
    
    + As you are, so once was I.  As I am, so you will be. +
    +                      Ancient Roman grave inscription +
    
    
    
  8. Re: Self-signed certificate instructions

    Andrew Dunstan <andrew.dunstan@2ndquadrant.com> — 2017-04-17T20:27:30Z

    
    On 04/17/2017 02:19 PM, Bruce Momjian wrote:
    > On Sat, Apr 15, 2017 at 11:17:14AM -0400, Andrew Dunstan wrote:
    >>
    >> On 04/15/2017 09:58 AM, Andrew Dunstan wrote:
    >>> The instructions on how to create a self-signed certificate in s 18.9.3
    >>> of the docs seem unduly cumbersome. AFAICT we could replace all the
    >>> commands (except the chmod) with something like this:
    >>>
    >>>     |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\
    >>>     -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"|
    >>>
    >>> Is there any reason for sticking with the current instructions?
    >>>
    >> Argh. Darn Thunderbird. This should of course be:
    >>
    >>
    >>     openssl req -new-x509 -days 365-nodes \
    >                                   ^^^^^^^^^
    >
    > I think you meant "-days 365 -nodes" here.
    
    
    yes.
    
    
    >
    > I think the reason we have those cumbersome instructions is that there
    > is no way to create a non-expireable certificate using simpler
    > instructions.
    
    
    You can make it for a very large number of days. 9999 should be plenty :-)
    
    TBH very long lived keys are a bad idea. In fact, self-signed
    certificates in any production or publicly visible instance are also a
    bad idea.
    
    
    >
    > I would like to revisit these instructions, as well as document how to
    > create intermediate certificates.  I have scripts that do that.
    >
    
    
    OK.. Do you want to run with this?
    
    cheers
    
    andrew
    
    
    -- 
    Andrew Dunstan                https://www.2ndQuadrant.com
    PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
    
    
    
    
  9. Re: Self-signed certificate instructions

    Bruce Momjian <bruce@momjian.us> — 2017-04-17T20:40:28Z

    On Mon, Apr 17, 2017 at 04:27:30PM -0400, Andrew Dunstan wrote:
    > > I would like to revisit these instructions, as well as document how to
    > > create intermediate certificates.  I have scripts that do that.
    > >
    > 
    > 
    > OK.. Do you want to run with this?
    
    Please go forward and I will work on the intermediate certificate issue
    in a few months.
    
    -- 
      Bruce Momjian  <bruce@momjian.us>        http://momjian.us
      EnterpriseDB                             http://enterprisedb.com
    
    + As you are, so once was I.  As I am, so you will be. +
    +                      Ancient Roman grave inscription +
    
    
    
  10. Re: Self-signed certificate instructions

    Andreas Karlsson <andreas@proxel.se> — 2017-04-17T20:42:54Z

    On 04/15/2017 03:58 PM, Andrew Dunstan wrote:
    > The instructions on how to create a self-signed certificate in s 18.9.3
    > of the docs seem unduly cumbersome.
    
    +1, I see no reason for us to spread unnecessarily complicated instructions.
    
    Andreas