On Mon, Apr 17, 2017 at 03:43:09PM -0400, Tom Lane wrote: > Bruce Momjian <br...@momjian.us> writes: > > I think the reason we have those cumbersome instructions is that there > > is no way to create a non-expireable certificate using simpler > > instructions. > > Um ... but the current instructions don't address that either.
Uh, I thought the instructions were needed for non-expiration, but I now remember it was to allow for non-password keys, but now I see it is not needed, so +1 for making the simplification. > > I would like to revisit these instructions, as well as document how to > > create intermediate certificates. I have scripts that do that. > > I don't think we should try to teach people how to use openssl. > A quick example of setting up a dummy certificate for testing is fine, > but going much beyond that is not our turf. We had an open item for years about people complaining that the client required the entire chain to the root (and our documention currently mentions that requirement), but it turns out this is only necessary if you don't create the intermediate certificates with the proper certificate flag, e.g. -extensions v3_ca. I will generate a patch that at least mentions that requirement. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
