Matthew Kirkwood wrote:
>On Wed, 20 Dec 2000, Oliver Elphick wrote:
>
>> To create a quick self-signed certificate, use the CA.pl script
>> included in OpenSSL:
...
>Or you can do it manually:
>
>openssl req -new -text -out cert.req (you will have to enter a password)
>mv privkey.pem cert.pem.pw
>openssl rsa -in cert.pem.pw -out cert.pem (this removes the password)
>openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
then
cp cert.pem $PGDATA/server.key
cp cert.cert $PGDATA/server.crt
Thank you; this works.
I attach a documentation patch.
*** sgml.orig/runtime.sgml Thu Dec 21 16:21:45 2000
--- sgml/runtime.sgml Thu Dec 21 16:47:18 2000
***************
*** 1823,1848 ****
<para>
For details on how to create your server private key and certificate,
refer to the <productname>OpenSSL</> documentation. A simple self-signed
! certificate can be used to get started testing, but a certificate signed
by a CA (either one of the global CAs or a local one) should be used in
production so the client can verify the servers identity. To create
! a quick self-signed certificate, use the <filename>CA.pl</filename>
! script included in OpenSSL:
! <programlisting>
! CA.pl -newcert
! </programlisting>
! Fill out the information the script asks for. Make sure to enter
! the local host name as Common Name. The script will generate a key
! that is passphrase protected. To remove the passphrase (required
! if you want automatic start-up of the postmaster), run the command
! <programlisting>
! openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
! </programlisting>
! Enter the old passphrase to unlock the existing key. Copy the file
! <filename>newreq.pem</> to <filename><replaceable>PGDATA</>/server.crt</>
! and <filename>newkey_no_passphrase.pem</> to
! <filename><replaceable>PGDATA</>/server.key</>. Remove the PRIVATE KEY part
! from the <filename>server.crt</filename> using any text editor.
</para>
</sect1>
--- 1823,1853 ----
<para>
For details on how to create your server private key and certificate,
refer to the <productname>OpenSSL</> documentation. A simple self-signed
! certificate can be used to get started for testing, but a certificate signed
by a CA (either one of the global CAs or a local one) should be used in
production so the client can verify the servers identity. To create
! a quick self-signed certificate, use the following OpenSSL command:
! <programlisting>
! openssl req -new -text -out cert.req
! </programlisting>
! Fill out the information that openssl asks for. Make sure that you enter
! the local host name as Common Name; the challenge password can be
! left blank. The script will generate a key that is passphrase protected;
! it will not accept a pass phrase that is less than four characters long.
! To remove the passphrase (as you must if you want automatic start-up of
! the postmaster), run the commands
! <programlisting>
! mv privkey.pem cert.pem.pw
! openssl rsa -in cert.pem.pw -out cert.pem
! </programlisting>
! Enter the old passphrase to unlock the existing key. Now do
! </programlisting>
! openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
! cp cert.pem $PGDATA/server.key
! cp cert.cert $PGDATA/server.crt
! </programlisting>
! to turn the certificate into a self-signed certificate and to copy the
! key and certificate to where the postmaster will look for them.
</para>
</sect1>
Oliver Elphick [EMAIL PROTECTED]
Isle of Wight http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"For a child will be born to us, a son will be given to
us; And the government will rest on His shoulders; And
His name will be called Wonderful Counsellor, Mighty
God, Eternal Father, Prince of Peace."
Isaiah 9:6
