After sending below to pgsql-docs, I noticed if I follow the step
described in the doc[1], generated root.crt lacks below.
X509v3 extensions:
X509v3 Subject Key Identifier:
3B:16:EA:86:0B:7C:E4:7A:16:F2:4E:54:F5:9C:0E:0F:38:02:8C:CF
X509v3 Authority Key Identifier:
keyid:3B:16:EA:86:0B:7C:E4:7A:16:F2:4E:54:F5:9C:0E:0F:38:02:8C:CF
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
This is present if I use command[2]:
> openssl req -new -x509 -nodes -text -days 3650 \
> -config /etc/ssl/openssl.cnf -extensions v3_ca \
> -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com"
I wonder if this is normal or not.
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
From: Tatsuo Ishii <ishii@sraoss.co.jp>
Subject: Creating Certificates
Date: Sat, 06 Oct 2018 08:17:04 +0900 (JST)
Message-ID: <20181006.081704.1372328430253415862.t-ishii@sraoss.co.jp>
> In "18.9.3. Creating Certificates",
>
> ------------------------------------------------------------------
[1]
> To create a server certificate whose identity can be validated by
> clients, first create a certificate signing request (CSR) and a
> public/private key file:
>
> openssl req -new -nodes -text -out root.csr \
> -keyout root.key -subj "/CN=root.yourdomain.com"
> chmod og-rwx root.key
>
> Then, sign the request with the key to create a root certificate
> authority (using the default OpenSSL configuration file location on
> Linux):
>
> openssl x509 -req -in root.csr -text -days 3650 \
> -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
> -signkey root.key -out root.crt
> ------------------------------------------------------------------
>
> For me it seesm the two-step procedure can be replaced with following
> one command:
>
[2]
> openssl req -new -x509 -nodes -text -days 3650 \
> -config /etc/ssl/openssl.cnf -extensions v3_ca \
> -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com"
>
> Is there any reaon why our doc recommend the two-step procedure?
>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp
>