Re: [HACKERS] Self-signed certificate instructions

2017-04-17 Thread Andreas Karlsson 

On 04/15/2017 03:58 PM, Andrew Dunstan wrote:

The instructions on how to create a self-signed certificate in s 18.9.3
of the docs seem unduly cumbersome.


+1, I see no reason for us to spread unnecessarily complicated instructions.

Andreas


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Self-signed certificate instructions

2017-04-17 Thread Bruce Momjian 
On Mon, Apr 17, 2017 at 04:27:30PM -0400, Andrew Dunstan wrote:
> > I would like to revisit these instructions, as well as document how to
> > create intermediate certificates.  I have scripts that do that.
> >
> 
> 
> OK.. Do you want to run with this?

Please go forward and I will work on the intermediate certificate issue
in a few months.

-- 
  Bruce Momjian  http://momjian.us
  EnterpriseDB http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+  Ancient Roman grave inscription +


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Self-signed certificate instructions

2017-04-17 Thread Andrew Dunstan 


On 04/17/2017 02:19 PM, Bruce Momjian wrote:
> On Sat, Apr 15, 2017 at 11:17:14AM -0400, Andrew Dunstan wrote:
>>
>> On 04/15/2017 09:58 AM, Andrew Dunstan wrote:
>>> The instructions on how to create a self-signed certificate in s 18.9.3
>>> of the docs seem unduly cumbersome. AFAICT we could replace all the
>>> commands (except the chmod) with something like this:
>>>
>>> |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\
>>> -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"|
>>>
>>> Is there any reason for sticking with the current instructions?
>>>
>> Argh. Darn Thunderbird. This should of course be:
>>
>>
>> openssl req -new-x509 -days 365-nodes \
>   ^
>
> I think you meant "-days 365 -nodes" here.


yes.


>
> I think the reason we have those cumbersome instructions is that there
> is no way to create a non-expireable certificate using simpler
> instructions.


You can make it for a very large number of days.  should be plenty :-)

TBH very long lived keys are a bad idea. In fact, self-signed
certificates in any production or publicly visible instance are also a
bad idea.


>
> I would like to revisit these instructions, as well as document how to
> create intermediate certificates.  I have scripts that do that.
>


OK.. Do you want to run with this?

cheers

andrew


-- 
Andrew Dunstanhttps://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Self-signed certificate instructions

2017-04-17 Thread Bruce Momjian 
On Mon, Apr 17, 2017 at 03:43:09PM -0400, Tom Lane wrote:
> Bruce Momjian  writes:
> > I think the reason we have those cumbersome instructions is that there
> > is no way to create a non-expireable certificate using simpler
> > instructions.
> 
> Um ... but the current instructions don't address that either.

Uh, I thought the instructions were needed for non-expiration, but I now
remember it was to allow for non-password keys, but now I see it is not
needed, so +1 for making the simplification.

> > I would like to revisit these instructions, as well as document how to
> > create intermediate certificates.  I have scripts that do that.
> 
> I don't think we should try to teach people how to use openssl.
> A quick example of setting up a dummy certificate for testing is fine,
> but going much beyond that is not our turf.

We had an open item for years about people complaining that the client
required the entire chain to the root (and our documention currently
mentions that requirement), but it turns out this is only necessary if
you don't create the intermediate certificates with the proper
certificate flag, e.g. -extensions v3_ca.  I will generate a patch that
at least mentions that requirement.

-- 
  Bruce Momjian  http://momjian.us
  EnterpriseDB http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+  Ancient Roman grave inscription +


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Self-signed certificate instructions

2017-04-17 Thread Tom Lane 
Bruce Momjian  writes:
> I think the reason we have those cumbersome instructions is that there
> is no way to create a non-expireable certificate using simpler
> instructions.

Um ... but the current instructions don't address that either.

> I would like to revisit these instructions, as well as document how to
> create intermediate certificates.  I have scripts that do that.

I don't think we should try to teach people how to use openssl.
A quick example of setting up a dummy certificate for testing is fine,
but going much beyond that is not our turf.

regards, tom lane


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Self-signed certificate instructions

2017-04-17 Thread Bruce Momjian 
On Sat, Apr 15, 2017 at 11:17:14AM -0400, Andrew Dunstan wrote:
> 
> 
> On 04/15/2017 09:58 AM, Andrew Dunstan wrote:
> > The instructions on how to create a self-signed certificate in s 18.9.3
> > of the docs seem unduly cumbersome. AFAICT we could replace all the
> > commands (except the chmod) with something like this:
> >
> > |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\
> > -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"|
> >
> > Is there any reason for sticking with the current instructions?
> >
> 
> Argh. Darn Thunderbird. This should of course be:
> 
> 
> openssl req -new-x509 -days 365-nodes \
  ^

I think you meant "-days 365 -nodes" here.

I think the reason we have those cumbersome instructions is that there
is no way to create a non-expireable certificate using simpler
instructions.

I would like to revisit these instructions, as well as document how to
create intermediate certificates.  I have scripts that do that.

-- 
  Bruce Momjian  http://momjian.us
  EnterpriseDB http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+  Ancient Roman grave inscription +


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Self-signed certificate instructions

2017-04-15 Thread Magnus Hagander 
On Sat, Apr 15, 2017 at 7:54 PM, Tom Lane  wrote:

> Andrew Dunstan  writes:
> > The instructions on how to create a self-signed certificate in s 18.9.3
> > of the docs seem unduly cumbersome.
>
> Yeah, I noticed that they seemed unnecessarily manual.  +1 for
> simplifying.
>

Seems reasonable, +1 for simplifications.

-- 
 Magnus Hagander
 Me: https://www.hagander.net/ 
 Work: https://www.redpill-linpro.com/

Re: [HACKERS] Self-signed certificate instructions

2017-04-15 Thread Tom Lane 
Andrew Dunstan  writes:
> The instructions on how to create a self-signed certificate in s 18.9.3
> of the docs seem unduly cumbersome.

Yeah, I noticed that they seemed unnecessarily manual.  +1 for
simplifying.

regards, tom lane


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Self-signed certificate instructions

2017-04-15 Thread Andrew Dunstan 


On 04/15/2017 09:58 AM, Andrew Dunstan wrote:
> The instructions on how to create a self-signed certificate in s 18.9.3
> of the docs seem unduly cumbersome. AFAICT we could replace all the
> commands (except the chmod) with something like this:
>
> |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\
> -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"|
>
> Is there any reason for sticking with the current instructions?
>

Argh. Darn Thunderbird. This should of course be:


openssl req -new-x509 -days 365-nodes \
-text -out server.crt \
-keyout server.key \
-subj  "/C=XY/CN=yourdomain.name"


cheers

andrew

-- 
Andrew Dunstanhttps://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

[HACKERS] Self-signed certificate instructions

2017-04-15 Thread Andrew Dunstan 

The instructions on how to create a self-signed certificate in s 18.9.3
of the docs seem unduly cumbersome. AFAICT we could replace all the
commands (except the chmod) with something like this:

|openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\
-keyout server.key\ -subj "/C=XY/CN=yourdomain.name"|

Is there any reason for sticking with the current instructions?

cheers

andrew

-- 
Andrew Dunstanhttps://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers