database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-28 23:42:10 +03:00
Code Activity

>openssl req -new -text -out cert.req (you will have to enter a password)

Browse Source 
>mv privkey.pem cert.pem.pw
  >openssl rsa -in cert.pem.pw -out cert.pem  (this removes the password)
  >openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert

then

  cp cert.pem $PGDATA/server.key
  cp cert.cert $PGDATA/server.crt

Thank you; this works.

Oliver Elphick
This commit is contained in:
Bruce Momjian
2000-12-21 19:08:05 +00:00
parent 1db9cce39f
commit 2905a2c54b
1 changed files with 24 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
doc/src/sgml/runtime.sgml
View File

@ -1,5 +1,5 @@
<!-- <!--
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.42 2000/12/17 11:22:00 petere Exp $ $Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.43 2000/12/21 19:08:05 momjian Exp $
--> -->
<Chapter Id="runtime"> <Chapter Id="runtime">
@ -1823,26 +1823,31 @@ set semsys:seminfo_semmsl=32
<para> <para>
For details on how to create your server private key and certificate, For details on how to create your server private key and certificate,
refer to the <productname>OpenSSL</> documentation. A simple self-signed refer to the <productname>OpenSSL</> documentation. A simple self-signed
certificate can be used to get started testing, but a certificate signed certificate can be used to get started for testing, but a certificate signed
by a CA (either one of the global CAs or a local one) should be used in by a CA (either one of the global CAs or a local one) should be used in
production so the client can verify the servers identity. To create production so the client can verify the servers identity. To create
a quick self-signed certificate, use the <filename>CA.pl</filename> a quick self-signed certificate, use the following OpenSSL command:
script included in OpenSSL:
<programlisting> <programlisting>
CA.pl -newcert openssl req -new -text -out cert.req
</programlisting> </programlisting>
Fill out the information the script asks for. Make sure to enter Fill out the information that openssl asks for. Make sure that you enter
the local host name as Common Name. The script will generate a key the local host name as Common Name; the challenge password can be
that is passphrase protected. To remove the passphrase (required left blank. The script will generate a key that is passphrase protected;
if you want automatic start-up of the postmaster), run the command it will not accept a pass phrase that is less than four characters long.
To remove the passphrase (as you must if you want automatic start-up of
the postmaster), run the commands
<programlisting> <programlisting>
openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem mv privkey.pem cert.pem.pw
openssl rsa -in cert.pem.pw -out cert.pem
</programlisting> </programlisting>
Enter the old passphrase to unlock the existing key. Copy the file Enter the old passphrase to unlock the existing key. Now do
<filename>newreq.pem</> to <filename><replaceable>PGDATA</>/server.crt</> </programlisting>
and <filename>newkey_no_passphrase.pem</> to openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
<filename><replaceable>PGDATA</>/server.key</>. Remove the PRIVATE KEY part cp cert.pem $PGDATA/server.key
from the <filename>server.crt</filename> using any text editor. cp cert.cert $PGDATA/server.crt
</programlisting>
to turn the certificate into a self-signed certificate and to copy the
key and certificate to where the postmaster will look for them.
</para> </para>
</sect1> </sect1>