Thread
Commits
-
Simplify docs on creating a self-signed SSL certificate
- 2b67c9d207d4 10.0 landed
-
Self-signed certificate instructions
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> — 2017-04-15T13:58:15Z
The instructions on how to create a self-signed certificate in s 18.9.3 of the docs seem unduly cumbersome. AFAICT we could replace all the commands (except the chmod) with something like this: |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\ -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"| Is there any reason for sticking with the current instructions? cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -
Re: Self-signed certificate instructions
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> — 2017-04-15T15:17:14Z
On 04/15/2017 09:58 AM, Andrew Dunstan wrote: > The instructions on how to create a self-signed certificate in s 18.9.3 > of the docs seem unduly cumbersome. AFAICT we could replace all the > commands (except the chmod) with something like this: > > |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\ > -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"| > > Is there any reason for sticking with the current instructions? > Argh. Darn Thunderbird. This should of course be: openssl req -new-x509 -days 365-nodes \ -text -out server.crt \ -keyout server.key \ -subj "/C=XY/CN=yourdomain.name" cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -
Re: Self-signed certificate instructions
Tom Lane <tgl@sss.pgh.pa.us> — 2017-04-15T17:54:36Z
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes: > The instructions on how to create a self-signed certificate in s 18.9.3 > of the docs seem unduly cumbersome. Yeah, I noticed that they seemed unnecessarily manual. +1 for simplifying. regards, tom lane
-
Re: Self-signed certificate instructions
Magnus Hagander <magnus@hagander.net> — 2017-04-15T18:11:21Z
On Sat, Apr 15, 2017 at 7:54 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes: > > The instructions on how to create a self-signed certificate in s 18.9.3 > > of the docs seem unduly cumbersome. > > Yeah, I noticed that they seemed unnecessarily manual. +1 for > simplifying. > Seems reasonable, +1 for simplifications. -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
-
Re: Self-signed certificate instructions
Bruce Momjian <bruce@momjian.us> — 2017-04-17T18:19:00Z
On Sat, Apr 15, 2017 at 11:17:14AM -0400, Andrew Dunstan wrote: > > > On 04/15/2017 09:58 AM, Andrew Dunstan wrote: > > The instructions on how to create a self-signed certificate in s 18.9.3 > > of the docs seem unduly cumbersome. AFAICT we could replace all the > > commands (except the chmod) with something like this: > > > > |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\ > > -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"| > > > > Is there any reason for sticking with the current instructions? > > > > Argh. Darn Thunderbird. This should of course be: > > > openssl req -new-x509 -days 365-nodes \ ^^^^^^^^^ I think you meant "-days 365 -nodes" here. I think the reason we have those cumbersome instructions is that there is no way to create a non-expireable certificate using simpler instructions. I would like to revisit these instructions, as well as document how to create intermediate certificates. I have scripts that do that. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription + -
Re: Self-signed certificate instructions
Tom Lane <tgl@sss.pgh.pa.us> — 2017-04-17T19:43:09Z
Bruce Momjian <bruce@momjian.us> writes: > I think the reason we have those cumbersome instructions is that there > is no way to create a non-expireable certificate using simpler > instructions. Um ... but the current instructions don't address that either. > I would like to revisit these instructions, as well as document how to > create intermediate certificates. I have scripts that do that. I don't think we should try to teach people how to use openssl. A quick example of setting up a dummy certificate for testing is fine, but going much beyond that is not our turf. regards, tom lane
-
Re: Self-signed certificate instructions
Bruce Momjian <bruce@momjian.us> — 2017-04-17T20:09:28Z
On Mon, Apr 17, 2017 at 03:43:09PM -0400, Tom Lane wrote: > Bruce Momjian <bruce@momjian.us> writes: > > I think the reason we have those cumbersome instructions is that there > > is no way to create a non-expireable certificate using simpler > > instructions. > > Um ... but the current instructions don't address that either. Uh, I thought the instructions were needed for non-expiration, but I now remember it was to allow for non-password keys, but now I see it is not needed, so +1 for making the simplification. > > I would like to revisit these instructions, as well as document how to > > create intermediate certificates. I have scripts that do that. > > I don't think we should try to teach people how to use openssl. > A quick example of setting up a dummy certificate for testing is fine, > but going much beyond that is not our turf. We had an open item for years about people complaining that the client required the entire chain to the root (and our documention currently mentions that requirement), but it turns out this is only necessary if you don't create the intermediate certificates with the proper certificate flag, e.g. -extensions v3_ca. I will generate a patch that at least mentions that requirement. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
-
Re: Self-signed certificate instructions
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> — 2017-04-17T20:27:30Z
On 04/17/2017 02:19 PM, Bruce Momjian wrote: > On Sat, Apr 15, 2017 at 11:17:14AM -0400, Andrew Dunstan wrote: >> >> On 04/15/2017 09:58 AM, Andrew Dunstan wrote: >>> The instructions on how to create a self-signed certificate in s 18.9.3 >>> of the docs seem unduly cumbersome. AFAICT we could replace all the >>> commands (except the chmod) with something like this: >>> >>> |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\ >>> -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"| >>> >>> Is there any reason for sticking with the current instructions? >>> >> Argh. Darn Thunderbird. This should of course be: >> >> >> openssl req -new-x509 -days 365-nodes \ > ^^^^^^^^^ > > I think you meant "-days 365 -nodes" here. yes. > > I think the reason we have those cumbersome instructions is that there > is no way to create a non-expireable certificate using simpler > instructions. You can make it for a very large number of days. 9999 should be plenty :-) TBH very long lived keys are a bad idea. In fact, self-signed certificates in any production or publicly visible instance are also a bad idea. > > I would like to revisit these instructions, as well as document how to > create intermediate certificates. I have scripts that do that. > OK.. Do you want to run with this? cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
-
Re: Self-signed certificate instructions
Bruce Momjian <bruce@momjian.us> — 2017-04-17T20:40:28Z
On Mon, Apr 17, 2017 at 04:27:30PM -0400, Andrew Dunstan wrote: > > I would like to revisit these instructions, as well as document how to > > create intermediate certificates. I have scripts that do that. > > > > > OK.. Do you want to run with this? Please go forward and I will work on the intermediate certificate issue in a few months. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
-
Re: Self-signed certificate instructions
Andreas Karlsson <andreas@proxel.se> — 2017-04-17T20:42:54Z
On 04/15/2017 03:58 PM, Andrew Dunstan wrote: > The instructions on how to create a self-signed certificate in s 18.9.3 > of the docs seem unduly cumbersome. +1, I see no reason for us to spread unnecessarily complicated instructions. Andreas