From 2905a2c54b4116ff59b45d59815b5420ba580dd3 Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Thu, 21 Dec 2000 19:08:05 +0000 Subject: [PATCH] >openssl req -new -text -out cert.req (you will have to enter a password) >mv privkey.pem cert.pem.pw >openssl rsa -in cert.pem.pw -out cert.pem (this removes the password) >openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert then cp cert.pem $PGDATA/server.key cp cert.cert $PGDATA/server.crt Thank you; this works. Oliver Elphick --- doc/src/sgml/runtime.sgml | 43 ++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 8e1e6bda0e..6cd1a2d14a 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1,5 +1,5 @@ @@ -1823,26 +1823,31 @@ set semsys:seminfo_semmsl=32 For details on how to create your server private key and certificate, refer to the OpenSSL documentation. A simple self-signed - certificate can be used to get started testing, but a certificate signed + certificate can be used to get started for testing, but a certificate signed by a CA (either one of the global CAs or a local one) should be used in production so the client can verify the servers identity. To create - a quick self-signed certificate, use the CA.pl - script included in OpenSSL: - -CA.pl -newcert - - Fill out the information the script asks for. Make sure to enter - the local host name as Common Name. The script will generate a key - that is passphrase protected. To remove the passphrase (required - if you want automatic start-up of the postmaster), run the command - -openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem - - Enter the old passphrase to unlock the existing key. Copy the file - newreq.pem to PGDATA/server.crt - and newkey_no_passphrase.pem to - PGDATA/server.key. Remove the PRIVATE KEY part - from the server.crt using any text editor. + a quick self-signed certificate, use the following OpenSSL command: + + openssl req -new -text -out cert.req + + Fill out the information that openssl asks for. Make sure that you enter + the local host name as Common Name; the challenge password can be + left blank. The script will generate a key that is passphrase protected; + it will not accept a pass phrase that is less than four characters long. + To remove the passphrase (as you must if you want automatic start-up of + the postmaster), run the commands + + mv privkey.pem cert.pem.pw + openssl rsa -in cert.pem.pw -out cert.pem + + Enter the old passphrase to unlock the existing key. Now do + + openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert + cp cert.pem $PGDATA/server.key + cp cert.cert $PGDATA/server.crt + + to turn the certificate into a self-signed certificate and to copy the + key and certificate to where the postmaster will look for them.