SSL Connections
I've been experimenting with the SSL connection support. Unfortunately I can't
get the postmaster to start because the instructions in the documentation for
setting up a certificate don't work.
They say:
=============================================================================
For details on how to create your server private key and certificate, refer
to the OpenSSL documentation... To create a quick self-signed certificate, use
the CA.pl script included in OpenSSL:
CA.pl -newcert
Fill out the information the script asks for. Make sure to enter the local
host name as Common Name. The script will generate a key that is passphrase
protected. To remove the passphrase (required if you want automatic
start-up of the postmaster), run the command
openssl x509 -inform PEM -outform PEM -in newreq.pem \
-out newkey_no_passphrase.pem
Enter the old passphrase to unlock the existing key. Copy the file newreq.pem
to PGDATA/server.crt and newkey_no_passphrase.pem to PGDATA/server.key.
Remove the PRIVATE KEY part from the server.crt using any text editor.
=============================================================================
The openssl x509 command runs with no interaction; this documentation seems
to indicate that it will ask for a password.
I can't find anything in the SSL documentation about removing or
changing the passphrase.
Has anyone successfully done this? and if so, how is the documentation
quoted above inforrect?
--
Oliver Elphick Oliver.Elphick@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"And she shall bring forth a son, and thou shall call
his name JESUS; for he shall save his people from
their sins." Matthew 1:21
On Wed, 20 Dec 2000, Oliver Elphick wrote:
Has anyone successfully done this? and if so, how is the documentation
quoted above inforrect?
When I did my testing, I just took some cert's that I had generated
through Apache's make certificate command - just don't enter a passphrase,
then copy the certificate and key. Works great.
--
Dominic J. Eidson
"Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
Has anyone successfully done this? and if so, how is the
documentation
quoted above inforrect?
When I did my testing, I just took some cert's that I had generated
through Apache's make certificate command - just don't enter
a passphrase,
then copy the certificate and key. Works great.
Hmm. Those instructions worked when I wrote them - must've had an old
version of OpenSSL, and they changed it. Any chance you could update the
documentation to something that works?
//Magnus
Import Notes
Resolved by subject fallback
On Wed, 20 Dec 2000, Oliver Elphick wrote:
To create a quick self-signed certificate, use the CA.pl script
included in OpenSSL:CA.pl -newcert
Or you can do it manually:
openssl req -new -text -out cert.req (you will have to enter a password)
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem (this removes the password)
openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
Matthew.
Matthew Kirkwood wrote:
On Wed, 20 Dec 2000, Oliver Elphick wrote:
To create a quick self-signed certificate, use the CA.pl script
included in OpenSSL:
...
Or you can do it manually:
openssl req -new -text -out cert.req (you will have to enter a password)
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem (this removes the password)
openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
then
cp cert.pem $PGDATA/server.key
cp cert.cert $PGDATA/server.crt
Thank you; this works.
I attach a documentation patch.
Attachments:
oltext/plain; charset=us-ascii; name=olDownload
*** sgml.orig/runtime.sgml Thu Dec 21 16:21:45 2000
--- sgml/runtime.sgml Thu Dec 21 16:47:18 2000
***************
*** 1823,1848 ****
<para>
For details on how to create your server private key and certificate,
refer to the <productname>OpenSSL</> documentation. A simple self-signed
! certificate can be used to get started testing, but a certificate signed
by a CA (either one of the global CAs or a local one) should be used in
production so the client can verify the servers identity. To create
! a quick self-signed certificate, use the <filename>CA.pl</filename>
! script included in OpenSSL:
! <programlisting>
! CA.pl -newcert
! </programlisting>
! Fill out the information the script asks for. Make sure to enter
! the local host name as Common Name. The script will generate a key
! that is passphrase protected. To remove the passphrase (required
! if you want automatic start-up of the postmaster), run the command
! <programlisting>
! openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
! </programlisting>
! Enter the old passphrase to unlock the existing key. Copy the file
! <filename>newreq.pem</> to <filename><replaceable>PGDATA</>/server.crt</>
! and <filename>newkey_no_passphrase.pem</> to
! <filename><replaceable>PGDATA</>/server.key</>. Remove the PRIVATE KEY part
! from the <filename>server.crt</filename> using any text editor.
</para>
</sect1>
--- 1823,1853 ----
<para>
For details on how to create your server private key and certificate,
refer to the <productname>OpenSSL</> documentation. A simple self-signed
! certificate can be used to get started for testing, but a certificate signed
by a CA (either one of the global CAs or a local one) should be used in
production so the client can verify the servers identity. To create
! a quick self-signed certificate, use the following OpenSSL command:
! <programlisting>
! openssl req -new -text -out cert.req
! </programlisting>
! Fill out the information that openssl asks for. Make sure that you enter
! the local host name as Common Name; the challenge password can be
! left blank. The script will generate a key that is passphrase protected;
! it will not accept a pass phrase that is less than four characters long.
! To remove the passphrase (as you must if you want automatic start-up of
! the postmaster), run the commands
! <programlisting>
! mv privkey.pem cert.pem.pw
! openssl rsa -in cert.pem.pw -out cert.pem
! </programlisting>
! Enter the old passphrase to unlock the existing key. Now do
! </programlisting>
! openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
! cp cert.pem $PGDATA/server.key
! cp cert.cert $PGDATA/server.crt
! </programlisting>
! to turn the certificate into a self-signed certificate and to copy the
! key and certificate to where the postmaster will look for them.
</para>
</sect1>
Import Notes
Reply to msg id not found: MessagefromMatthewKirkwoodmatthew@hairy.beasts.orgofThu21Dec2000154846GMT.Pine.LNX.4.10.10012211544590.28089-100000@sphinx.mythic-beasts.com | Resolved by subject fallback
Applied.
Matthew Kirkwood wrote:
On Wed, 20 Dec 2000, Oliver Elphick wrote:
To create a quick self-signed certificate, use the CA.pl script
included in OpenSSL:...
Or you can do it manually:
openssl req -new -text -out cert.req (you will have to enter a password)
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem (this removes the password)
openssl req -x509 -in cert.req -text -key cert.pem -out cert.certthen
cp cert.pem $PGDATA/server.key
cp cert.cert $PGDATA/server.crtThank you; this works.
I attach a documentation patch.
Content-Description: ol
[ Attachment, skipping... ]
Oliver Elphick Oliver.Elphick@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"For a child will be born to us, a son will be given to
us; And the government will rest on His shoulders; And
His name will be called Wonderful Counsellor, Mighty
God, Eternal Father, Prince of Peace."
Isaiah 9:6
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026It looks Ok, but it has one unnecessary step. There is no need to do the "mv
privkey.pem cert.pem.pw" if you just use "privkey.pem" in the following
openssl command (e.g. openssl rsa -in privkey.pem -out cert.pem".
But there is nothing wrong with it as it is now, as far as I can see.
//Magnus
Show quoted text
-----Original Message-----
From: Bruce Momjian [mailto:pgman@candle.pha.pa.us]
Sent: den 21 december 2000 20:15
To: Magnus Hagander
Cc: 'Matthew Kirkwood'; 'pgsql-patches@postgresql.org'
Subject: Re: [PATCHES] RE: SSL Connections [doc PATCH]I have applied an earlier patch to this file for SSL. Could you check
the current tree and see how you like it?Thanks for that one!
Here is a patch to update the documentation based on this -
this should make
it less dependant on the version of OpenSSL used.
//Magnus
-----Original Message-----
From: Matthew Kirkwood [mailto:matthew@hairy.beasts.org]
Sent: den 21 december 2000 16:49
To: Oliver Elphick
Cc: pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] SSL ConnectionsOn Wed, 20 Dec 2000, Oliver Elphick wrote:
To create a quick self-signed certificate, use the CA.pl script
included in OpenSSL:CA.pl -newcert
Or you can do it manually:
openssl req -new -text -out cert.req (you will have to enter
a password)
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem (this removesthe password)
openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
Matthew.
[ Attachment, skipping... ]
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Import Notes
Resolved by subject fallback
If this is a valid point, can someone send me a patch for it? Thanks.
It looks Ok, but it has one unnecessary step. There is no need to do the "mv
privkey.pem cert.pem.pw" if you just use "privkey.pem" in the following
openssl command (e.g. openssl rsa -in privkey.pem -out cert.pem".
But there is nothing wrong with it as it is now, as far as I can see.//Magnus
-----Original Message-----
From: Bruce Momjian [mailto:pgman@candle.pha.pa.us]
Sent: den 21 december 2000 20:15
To: Magnus Hagander
Cc: 'Matthew Kirkwood'; 'pgsql-patches@postgresql.org'
Subject: Re: [PATCHES] RE: SSL Connections [doc PATCH]I have applied an earlier patch to this file for SSL. Could you check
the current tree and see how you like it?Thanks for that one!
Here is a patch to update the documentation based on this -
this should make
it less dependant on the version of OpenSSL used.
//Magnus
-----Original Message-----
From: Matthew Kirkwood [mailto:matthew@hairy.beasts.org]
Sent: den 21 december 2000 16:49
To: Oliver Elphick
Cc: pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] SSL ConnectionsOn Wed, 20 Dec 2000, Oliver Elphick wrote:
To create a quick self-signed certificate, use the CA.pl script
included in OpenSSL:CA.pl -newcert
Or you can do it manually:
openssl req -new -text -out cert.req (you will have to enter
a password)
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem (this removesthe password)
openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
Matthew.
[ Attachment, skipping... ]
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026Is this resolved?
It looks Ok, but it has one unnecessary step. There is no need to do the "mv
privkey.pem cert.pem.pw" if you just use "privkey.pem" in the following
openssl command (e.g. openssl rsa -in privkey.pem -out cert.pem".
But there is nothing wrong with it as it is now, as far as I can see.//Magnus
-----Original Message-----
From: Bruce Momjian [mailto:pgman@candle.pha.pa.us]
Sent: den 21 december 2000 20:15
To: Magnus Hagander
Cc: 'Matthew Kirkwood'; 'pgsql-patches@postgresql.org'
Subject: Re: [PATCHES] RE: SSL Connections [doc PATCH]I have applied an earlier patch to this file for SSL. Could you check
the current tree and see how you like it?Thanks for that one!
Here is a patch to update the documentation based on this -
this should make
it less dependant on the version of OpenSSL used.
//Magnus
-----Original Message-----
From: Matthew Kirkwood [mailto:matthew@hairy.beasts.org]
Sent: den 21 december 2000 16:49
To: Oliver Elphick
Cc: pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] SSL ConnectionsOn Wed, 20 Dec 2000, Oliver Elphick wrote:
To create a quick self-signed certificate, use the CA.pl script
included in OpenSSL:CA.pl -newcert
Or you can do it manually:
openssl req -new -text -out cert.req (you will have to enter
a password)
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem (this removesthe password)
openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
Matthew.
[ Attachment, skipping... ]
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026Again, is this something that needs fixing? Just a YES or NO is all I
need.
It looks Ok, but it has one unnecessary step. There is no need to do the "mv
privkey.pem cert.pem.pw" if you just use "privkey.pem" in the following
openssl command (e.g. openssl rsa -in privkey.pem -out cert.pem".
But there is nothing wrong with it as it is now, as far as I can see.//Magnus
-----Original Message-----
From: Bruce Momjian [mailto:pgman@candle.pha.pa.us]
Sent: den 21 december 2000 20:15
To: Magnus Hagander
Cc: 'Matthew Kirkwood'; 'pgsql-patches@postgresql.org'
Subject: Re: [PATCHES] RE: SSL Connections [doc PATCH]I have applied an earlier patch to this file for SSL. Could you check
the current tree and see how you like it?Thanks for that one!
Here is a patch to update the documentation based on this -
this should make
it less dependant on the version of OpenSSL used.
//Magnus
-----Original Message-----
From: Matthew Kirkwood [mailto:matthew@hairy.beasts.org]
Sent: den 21 december 2000 16:49
To: Oliver Elphick
Cc: pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] SSL ConnectionsOn Wed, 20 Dec 2000, Oliver Elphick wrote:
To create a quick self-signed certificate, use the CA.pl script
included in OpenSSL:CA.pl -newcert
Or you can do it manually:
openssl req -new -text -out cert.req (you will have to enter
a password)
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem (this removesthe password)
openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
Matthew.
[ Attachment, skipping... ]
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026Needs fixing - no. The current version *works*.
The fix would remove one unnecessary step from it, but it still *works* in
it's current state.
Sorry about this - I've missed looking at it.
//Magnus
Show quoted text
-----Original Message-----
From: Bruce Momjian [mailto:pgman@candle.pha.pa.us]
Sent: den 24 januari 2001 15:47
To: Magnus Hagander
Cc: PostgreSQL-development; PostgreSQL-documentation
Subject: Re: [PATCHES] RE: SSL Connections [doc PATCH]Again, is this something that needs fixing? Just a YES or NO is all I
need.It looks Ok, but it has one unnecessary step. There is no
need to do the "mv
privkey.pem cert.pem.pw" if you just use "privkey.pem" in
the following
openssl command (e.g. openssl rsa -in privkey.pem -out cert.pem".
But there is nothing wrong with it as it is now, as far asI can see.
//Magnus
-----Original Message-----
From: Bruce Momjian [mailto:pgman@candle.pha.pa.us]
Sent: den 21 december 2000 20:15
To: Magnus Hagander
Cc: 'Matthew Kirkwood'; 'pgsql-patches@postgresql.org'
Subject: Re: [PATCHES] RE: SSL Connections [doc PATCH]I have applied an earlier patch to this file for SSL.
Could you check
the current tree and see how you like it?
Thanks for that one!
Here is a patch to update the documentation based on this -
this should make
it less dependant on the version of OpenSSL used.
//Magnus
-----Original Message-----
From: Matthew Kirkwood [mailto:matthew@hairy.beasts.org]
Sent: den 21 december 2000 16:49
To: Oliver Elphick
Cc: pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] SSL ConnectionsOn Wed, 20 Dec 2000, Oliver Elphick wrote:
To create a quick self-signed certificate, use the
CA.pl script
included in OpenSSL:
CA.pl -newcert
Or you can do it manually:
openssl req -new -text -out cert.req (you will have to enter
a password)
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem (this removesthe password)
openssl req -x509 -in cert.req -text -key cert.pem
-out cert.cert
Matthew.
[ Attachment, skipping... ]
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Import Notes
Resolved by subject fallback
But shouldn't we remove it to make it clearer?
Needs fixing - no. The current version *works*.
The fix would remove one unnecessary step from it, but it still *works* in
it's current state.Sorry about this - I've missed looking at it.
//Magnus
-----Original Message-----
From: Bruce Momjian [mailto:pgman@candle.pha.pa.us]
Sent: den 24 januari 2001 15:47
To: Magnus Hagander
Cc: PostgreSQL-development; PostgreSQL-documentation
Subject: Re: [PATCHES] RE: SSL Connections [doc PATCH]Again, is this something that needs fixing? Just a YES or NO is all I
need.It looks Ok, but it has one unnecessary step. There is no
need to do the "mv
privkey.pem cert.pem.pw" if you just use "privkey.pem" in
the following
openssl command (e.g. openssl rsa -in privkey.pem -out cert.pem".
But there is nothing wrong with it as it is now, as far asI can see.
//Magnus
-----Original Message-----
From: Bruce Momjian [mailto:pgman@candle.pha.pa.us]
Sent: den 21 december 2000 20:15
To: Magnus Hagander
Cc: 'Matthew Kirkwood'; 'pgsql-patches@postgresql.org'
Subject: Re: [PATCHES] RE: SSL Connections [doc PATCH]I have applied an earlier patch to this file for SSL.
Could you check
the current tree and see how you like it?
Thanks for that one!
Here is a patch to update the documentation based on this -
this should make
it less dependant on the version of OpenSSL used.
//Magnus
-----Original Message-----
From: Matthew Kirkwood [mailto:matthew@hairy.beasts.org]
Sent: den 21 december 2000 16:49
To: Oliver Elphick
Cc: pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] SSL ConnectionsOn Wed, 20 Dec 2000, Oliver Elphick wrote:
To create a quick self-signed certificate, use the
CA.pl script
included in OpenSSL:
CA.pl -newcert
Or you can do it manually:
openssl req -new -text -out cert.req (you will have to enter
a password)
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem (this removesthe password)
openssl req -x509 -in cert.req -text -key cert.pem
-out cert.cert
Matthew.
[ Attachment, skipping... ]
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026That would probably be good, yes :-)
You shuold then change:
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem
to
openssl rsa -in privkey.pem -out cert.pem
(Sorry, don't have access to the SGML source now, so I can't give you a
patch)
//Magnus
-----Original Message-----
From: Bruce Momjian [mailto:pgman@candle.pha.pa.us]
Sent: den 24 januari 2001 16:03
To: Magnus Hagander
Cc: PostgreSQL-development; PostgreSQL-documentation
Subject: Re: [PATCHES] RE: SSL Connections [doc PATCH]But shouldn't we remove it to make it clearer?
Needs fixing - no. The current version *works*.
The fix would remove one unnecessary step from it, but itstill *works* in
it's current state.
Sorry about this - I've missed looking at it.
//Magnus
-----Original Message-----
From: Bruce Momjian [mailto:pgman@candle.pha.pa.us]
Sent: den 24 januari 2001 15:47
To: Magnus Hagander
Cc: PostgreSQL-development; PostgreSQL-documentation
Subject: Re: [PATCHES] RE: SSL Connections [doc PATCH]Again, is this something that needs fixing? Just a YES
or NO is all I
need.
It looks Ok, but it has one unnecessary step. There is no
need to do the "mv
privkey.pem cert.pem.pw" if you just use "privkey.pem" in
the following
openssl command (e.g. openssl rsa -in privkey.pem -out
cert.pem".
But there is nothing wrong with it as it is now, as far as
I can see.
//Magnus
-----Original Message-----
From: Bruce Momjian [mailto:pgman@candle.pha.pa.us]
Sent: den 21 december 2000 20:15
To: Magnus Hagander
Cc: 'Matthew Kirkwood'; 'pgsql-patches@postgresql.org'
Subject: Re: [PATCHES] RE: SSL Connections [doc PATCH]I have applied an earlier patch to this file for SSL.
Could you check
the current tree and see how you like it?
Thanks for that one!
Here is a patch to update the documentation based on this -
this should make
it less dependant on the version of OpenSSL used.
//Magnus
-----Original Message-----
From: Matthew Kirkwood [mailto:matthew@hairy.beasts.org]
Sent: den 21 december 2000 16:49
To: Oliver Elphick
Cc: pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] SSL ConnectionsOn Wed, 20 Dec 2000, Oliver Elphick wrote:
To create a quick self-signed certificate, use the
CA.pl script
included in OpenSSL:
CA.pl -newcert
Or you can do it manually:
openssl req -new -text -out cert.req (you will
have to enter
a password)
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem (this removesthe password)
openssl req -x509 -in cert.req -text -key cert.pem
-out cert.cert
Matthew.
[ Attachment, skipping... ]
--
Bruce Momjian |
pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026Import Notes
Resolved by subject fallback
That would probably be good, yes :-)
You shuold then change:
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pemto
openssl rsa -in privkey.pem -out cert.pem(Sorry, don't have access to the SGML source now, so I can't give you a
patch)
OK, the SGML diff is:
---------------------------------------------------------------------------
Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: /home/projects/pgsql/cvsroot/pgsql/doc/src/sgml/runtime.sgml,v
retrieving revision 1.46
diff -c -r1.46 runtime.sgml
*** doc/src/sgml/runtime.sgml 2001/01/08 21:01:54 1.46
--- doc/src/sgml/runtime.sgml 2001/01/24 15:17:09
***************
*** 1911,1918 ****
To remove the passphrase (as you must if you want automatic start-up of
the postmaster), run the commands
<programlisting>
! mv privkey.pem cert.pem.pw
! openssl rsa -in cert.pem.pw -out cert.pem
</programlisting>
Enter the old passphrase to unlock the existing key. Now do
<programlisting>
--- 1911,1917 ----
To remove the passphrase (as you must if you want automatic start-up of
the postmaster), run the commands
<programlisting>
! openssl rsa -in privkey.pem -out cert.pem
</programlisting>
Enter the old passphrase to unlock the existing key. Now do
<programlisting>--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026Change made.
It looks Ok, but it has one unnecessary step. There is no need to do the "mv
privkey.pem cert.pem.pw" if you just use "privkey.pem" in the following
openssl command (e.g. openssl rsa -in privkey.pem -out cert.pem".
But there is nothing wrong with it as it is now, as far as I can see.//Magnus
-----Original Message-----
From: Bruce Momjian [mailto:pgman@candle.pha.pa.us]
Sent: den 21 december 2000 20:15
To: Magnus Hagander
Cc: 'Matthew Kirkwood'; 'pgsql-patches@postgresql.org'
Subject: Re: [PATCHES] RE: SSL Connections [doc PATCH]I have applied an earlier patch to this file for SSL. Could you check
the current tree and see how you like it?Thanks for that one!
Here is a patch to update the documentation based on this -
this should make
it less dependant on the version of OpenSSL used.
//Magnus
-----Original Message-----
From: Matthew Kirkwood [mailto:matthew@hairy.beasts.org]
Sent: den 21 december 2000 16:49
To: Oliver Elphick
Cc: pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] SSL ConnectionsOn Wed, 20 Dec 2000, Oliver Elphick wrote:
To create a quick self-signed certificate, use the CA.pl script
included in OpenSSL:CA.pl -newcert
Or you can do it manually:
openssl req -new -text -out cert.req (you will have to enter
a password)
mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem (this removesthe password)
openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
Matthew.
[ Attachment, skipping... ]
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026