Re: [HACKERS] Self-signed certificate instructions

On 04/17/2017 02:19 PM, Bruce Momjian wrote:
> On Sat, Apr 15, 2017 at 11:17:14AM -0400, Andrew Dunstan wrote:
>>
>> On 04/15/2017 09:58 AM, Andrew Dunstan wrote:
>>> The instructions on how to create a self-signed certificate in s 18.9.3
>>> of the docs seem unduly cumbersome. AFAICT we could replace all the
>>> commands (except the chmod) with something like this:
>>>
>>>     |openssl req -new-x509 -days 365-nodes \ -text -outserver.crt\
>>>     -keyout server.key\ -subj "/C=XY/CN=yourdomain.name"|
>>>
>>> Is there any reason for sticking with the current instructions?
>>>
>> Argh. Darn Thunderbird. This should of course be:
>>
>>
>>     openssl req -new-x509 -days 365-nodes \
>                                   ^^^^^^^^^
>
> I think you meant "-days 365 -nodes" here.


yes.


>
> I think the reason we have those cumbersome instructions is that there
> is no way to create a non-expireable certificate using simpler
> instructions.


You can make it for a very large number of days. 9999 should be plenty :-)

TBH very long lived keys are a bad idea. In fact, self-signed
certificates in any production or publicly visible instance are also a
bad idea.


>
> I would like to revisit these instructions, as well as document how to
> create intermediate certificates.  I have scripts that do that.
>


OK.. Do you want to run with this?

cheers

andrew


-- 
Andrew Dunstan                https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services