mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-12-03 08:00:21 +08:00
>openssl req -new -text -out cert.req (you will have to enter a password)
>mv privkey.pem cert.pem.pw >openssl rsa -in cert.pem.pw -out cert.pem (this removes the password) >openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert then cp cert.pem $PGDATA/server.key cp cert.cert $PGDATA/server.crt Thank you; this works. Oliver Elphick
This commit is contained in:
parent
1db9cce39f
commit
2905a2c54b
@ -1,5 +1,5 @@
|
||||
<!--
|
||||
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.42 2000/12/17 11:22:00 petere Exp $
|
||||
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.43 2000/12/21 19:08:05 momjian Exp $
|
||||
-->
|
||||
|
||||
<Chapter Id="runtime">
|
||||
@ -1823,26 +1823,31 @@ set semsys:seminfo_semmsl=32
|
||||
<para>
|
||||
For details on how to create your server private key and certificate,
|
||||
refer to the <productname>OpenSSL</> documentation. A simple self-signed
|
||||
certificate can be used to get started testing, but a certificate signed
|
||||
certificate can be used to get started for testing, but a certificate signed
|
||||
by a CA (either one of the global CAs or a local one) should be used in
|
||||
production so the client can verify the servers identity. To create
|
||||
a quick self-signed certificate, use the <filename>CA.pl</filename>
|
||||
script included in OpenSSL:
|
||||
a quick self-signed certificate, use the following OpenSSL command:
|
||||
<programlisting>
|
||||
CA.pl -newcert
|
||||
openssl req -new -text -out cert.req
|
||||
</programlisting>
|
||||
Fill out the information the script asks for. Make sure to enter
|
||||
the local host name as Common Name. The script will generate a key
|
||||
that is passphrase protected. To remove the passphrase (required
|
||||
if you want automatic start-up of the postmaster), run the command
|
||||
Fill out the information that openssl asks for. Make sure that you enter
|
||||
the local host name as Common Name; the challenge password can be
|
||||
left blank. The script will generate a key that is passphrase protected;
|
||||
it will not accept a pass phrase that is less than four characters long.
|
||||
To remove the passphrase (as you must if you want automatic start-up of
|
||||
the postmaster), run the commands
|
||||
<programlisting>
|
||||
openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
|
||||
mv privkey.pem cert.pem.pw
|
||||
openssl rsa -in cert.pem.pw -out cert.pem
|
||||
</programlisting>
|
||||
Enter the old passphrase to unlock the existing key. Copy the file
|
||||
<filename>newreq.pem</> to <filename><replaceable>PGDATA</>/server.crt</>
|
||||
and <filename>newkey_no_passphrase.pem</> to
|
||||
<filename><replaceable>PGDATA</>/server.key</>. Remove the PRIVATE KEY part
|
||||
from the <filename>server.crt</filename> using any text editor.
|
||||
Enter the old passphrase to unlock the existing key. Now do
|
||||
</programlisting>
|
||||
openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
|
||||
cp cert.pem $PGDATA/server.key
|
||||
cp cert.cert $PGDATA/server.crt
|
||||
</programlisting>
|
||||
to turn the certificate into a self-signed certificate and to copy the
|
||||
key and certificate to where the postmaster will look for them.
|
||||
</para>
|
||||
</sect1>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user