On 04/17/2017 02:19 PM, Bruce Momjian wrote: > On Sat, Apr 15, 2017 at 11:17:14AM -0400, Andrew Dunstan wrote: >> >> On 04/15/2017 09:58 AM, Andrew Dunstan wrote: >>> The instructions on how to create a self-signed certificate in s 18.9.3 >>> of the docs seem unduly cumbersome. AFAICT we could replace all the >>> commands (except the chmod) with something like this: >>> >>> |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\ >>> -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"| >>> >>> Is there any reason for sticking with the current instructions? >>> >> Argh. Darn Thunderbird. This should of course be: >> >> >> openssl req -new-x509 -days 365-nodes \ > ^^^^^^^^^ > > I think you meant "-days 365 -nodes" here.
yes. > > I think the reason we have those cumbersome instructions is that there > is no way to create a non-expireable certificate using simpler > instructions. You can make it for a very large number of days. 9999 should be plenty :-) TBH very long lived keys are a bad idea. In fact, self-signed certificates in any production or publicly visible instance are also a bad idea. > > I would like to revisit these instructions, as well as document how to > create intermediate certificates. I have scripts that do that. > OK.. Do you want to run with this? cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers