Thread: [HACKERS] Self-signed certificate instructions
The instructions on how to create a self-signed certificate in s 18.9.3 of the docs seem unduly cumbersome. AFAICT we could replace all the commands (except the chmod) with something like this: |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\ -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"| Is there any reason for sticking with the current instructions? cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On 04/15/2017 09:58 AM, Andrew Dunstan wrote: > The instructions on how to create a self-signed certificate in s 18.9.3 > of the docs seem unduly cumbersome. AFAICT we could replace all the > commands (except the chmod) with something like this: > > |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\ > -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"| > > Is there any reason for sticking with the current instructions? > Argh. Darn Thunderbird. This should of course be: openssl req -new-x509 -days 365-nodes \ -text -out server.crt \ -keyout server.key \ -subj "/C=XY/CN=yourdomain.name" cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
> The instructions on how to create a self-signed certificate in s 18.9.3
> of the docs seem unduly cumbersome.
Yeah, I noticed that they seemed unnecessarily manual. +1 for
simplifying.
regards, tom lane
On Sat, Apr 15, 2017 at 7:54 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
> The instructions on how to create a self-signed certificate in s 18.9.3
> of the docs seem unduly cumbersome.
Yeah, I noticed that they seemed unnecessarily manual. +1 for
simplifying.
Seems reasonable, +1 for simplifications.
On Sat, Apr 15, 2017 at 11:17:14AM -0400, Andrew Dunstan wrote: > > > On 04/15/2017 09:58 AM, Andrew Dunstan wrote: > > The instructions on how to create a self-signed certificate in s 18.9.3 > > of the docs seem unduly cumbersome. AFAICT we could replace all the > > commands (except the chmod) with something like this: > > > > |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\ > > -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"| > > > > Is there any reason for sticking with the current instructions? > > > > Argh. Darn Thunderbird. This should of course be: > > > openssl req -new-x509 -days 365-nodes \ ^^^^^^^^^ I think you meant "-days 365 -nodes" here. I think the reason we have those cumbersome instructions is that there is no way to create a non-expireable certificate using simpler instructions. I would like to revisit these instructions, as well as document how to create intermediate certificates. I have scripts that do that. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
Bruce Momjian <bruce@momjian.us> writes:
> I think the reason we have those cumbersome instructions is that there
> is no way to create a non-expireable certificate using simpler
> instructions.
Um ... but the current instructions don't address that either.
> I would like to revisit these instructions, as well as document how to
> create intermediate certificates. I have scripts that do that.
I don't think we should try to teach people how to use openssl.
A quick example of setting up a dummy certificate for testing is fine,
but going much beyond that is not our turf.
regards, tom lane
On Mon, Apr 17, 2017 at 03:43:09PM -0400, Tom Lane wrote: > Bruce Momjian <bruce@momjian.us> writes: > > I think the reason we have those cumbersome instructions is that there > > is no way to create a non-expireable certificate using simpler > > instructions. > > Um ... but the current instructions don't address that either. Uh, I thought the instructions were needed for non-expiration, but I now remember it was to allow for non-password keys, but now I see it is not needed, so +1 for making the simplification. > > I would like to revisit these instructions, as well as document how to > > create intermediate certificates. I have scripts that do that. > > I don't think we should try to teach people how to use openssl. > A quick example of setting up a dummy certificate for testing is fine, > but going much beyond that is not our turf. We had an open item for years about people complaining that the client required the entire chain to the root (and our documention currently mentions that requirement), but it turns out this is only necessary if you don't create the intermediate certificates with the proper certificate flag, e.g. -extensions v3_ca. I will generate a patch that at least mentions that requirement. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
On 04/17/2017 02:19 PM, Bruce Momjian wrote: > On Sat, Apr 15, 2017 at 11:17:14AM -0400, Andrew Dunstan wrote: >> >> On 04/15/2017 09:58 AM, Andrew Dunstan wrote: >>> The instructions on how to create a self-signed certificate in s 18.9.3 >>> of the docs seem unduly cumbersome. AFAICT we could replace all the >>> commands (except the chmod) with something like this: >>> >>> |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\ >>> -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"| >>> >>> Is there any reason for sticking with the current instructions? >>> >> Argh. Darn Thunderbird. This should of course be: >> >> >> openssl req -new-x509 -days 365-nodes \ > ^^^^^^^^^ > > I think you meant "-days 365 -nodes" here. yes. > > I think the reason we have those cumbersome instructions is that there > is no way to create a non-expireable certificate using simpler > instructions. You can make it for a very large number of days. 9999 should be plenty :-) TBH very long lived keys are a bad idea. In fact, self-signed certificates in any production or publicly visible instance are also a bad idea. > > I would like to revisit these instructions, as well as document how to > create intermediate certificates. I have scripts that do that. > OK.. Do you want to run with this? cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On Mon, Apr 17, 2017 at 04:27:30PM -0400, Andrew Dunstan wrote: > > I would like to revisit these instructions, as well as document how to > > create intermediate certificates. I have scripts that do that. > > > > > OK.. Do you want to run with this? Please go forward and I will work on the intermediate certificate issue in a few months. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
On 04/15/2017 03:58 PM, Andrew Dunstan wrote: > The instructions on how to create a self-signed certificate in s 18.9.3 > of the docs seem unduly cumbersome. +1, I see no reason for us to spread unnecessarily complicated instructions. Andreas