On 04/17/2017 02:19 PM, Bruce Momjian wrote:
> On Sat, Apr 15, 2017 at 11:17:14AM -0400, Andrew Dunstan wrote:
>> On 04/15/2017 09:58 AM, Andrew Dunstan wrote:
>>> The instructions on how to create a self-signed certificate in s 18.9.3
>>> of the docs seem unduly cumbersome. AFAICT we could replace all the
>>> commands (except the chmod) with something like this:
>>>     |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\
>>>     -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"|
>>> Is there any reason for sticking with the current instructions?
>> Argh. Darn Thunderbird. This should of course be:
>>     openssl req -new-x509 -days 365-nodes \
>                                   ^^^^^^^^^
> I think you meant "-days 365 -nodes" here.


> I think the reason we have those cumbersome instructions is that there
> is no way to create a non-expireable certificate using simpler
> instructions.

You can make it for a very large number of days. 9999 should be plenty :-)

TBH very long lived keys are a bad idea. In fact, self-signed
certificates in any production or publicly visible instance are also a
bad idea.

> I would like to revisit these instructions, as well as document how to
> create intermediate certificates.  I have scripts that do that.

OK.. Do you want to run with this?



Andrew Dunstan                https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to