Re: Correction of intermediate certificate handling

Wed, 17 Jan 2018 04:35:30 -0800 

On Wed, Jan 17, 2018 at 05:20:00PM +0900, Michael Paquier wrote:
> On Tue, Jan 16, 2018 at 10:23:44PM -0500, Bruce Momjian wrote:
> > On Wed, Jan 17, 2018 at 09:09:50AM +0900, Michael Paquier wrote:
> > > On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> > > > On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
> > 
> > I ended up merging the "chain of trust" changes into the "intermediate"
> > patch since they affect adjacent sections of the docs.  You can see this
> > as the first attached patch.
> 
> Thanks. I looked at crt.diff and the surroundings in the docs. This one
> looks consistent to me.

Good, thanks.

> > I did that as a separate patch, which is the second attachment.
> 
> This is openssl.diff.
> 
> +    Then, sign the request with the the private key to create a root
> +certificate authority:
> s/the the/the/
> 
> +<programlisting>
> +openssl req -new -nodes -text -out root.csr \
> +  -keyout root.key -subj "/CN=<replaceable>root.yourdomain.com</replaceable>"
> +chmod og-rwx root.key
> +openssl x509 -req -in root.csr -text -days 365 \
> +  -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
> +  -signkey root.key -out root.crt
> The succession of commands of commands for the intermediate certificates
> is wild. Could it be possible to explain what each command means? Users
> would not get lost this way.

Yes, I was not happy about that either.  I was afraid that pound-sign
comments would look like root prompts but I just added them and they
look fine.  Updated patch attached, with some expiration and wording
adjustments.  There is also a new paragraph at the end explaining where
to place the files.

> > I don't think I will work on the testing changes.
> 
> Fine for me. This could do for a fine TODO item. Not one of those hard,
> complicated and basically impossible things on the TODO list.

Agreed.

-- 
  Bruce Momjian  <[email protected]>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
new file mode 100644
index a2ebd3e..7f83d0c
*** a/doc/src/sgml/runtime.sgml
--- b/doc/src/sgml/runtime.sgml
*************** pg_dumpall -p 5432 | psql -d postgres -p
*** 2385,2399 ****
    </sect2>
  
    <sect2 id="ssl-certificate-creation">
!    <title>Creating a Self-signed Certificate</title>
  
     <para>
!      To create a quick self-signed certificate for the server, valid for 365
       days, use the following <productname>OpenSSL</productname> command,
!      replacing <replaceable>yourdomain.com</replaceable> with the server's host name:
  <programlisting>
  openssl req -new -x509 -days 365 -nodes -text -out server.crt \
!   -keyout server.key -subj "/CN=<replaceable>yourdomain.com</replaceable>"
  </programlisting>
      Then do:
  <programlisting>
--- 2385,2400 ----
    </sect2>
  
    <sect2 id="ssl-certificate-creation">
!    <title>Creating Certificates</title>
  
     <para>
!      To create a simple self-signed certificate for the server, valid for 365
       days, use the following <productname>OpenSSL</productname> command,
!      replacing <replaceable>dbhost.yourdomain.com</replaceable> with the
!      server's host name:
  <programlisting>
  openssl req -new -x509 -days 365 -nodes -text -out server.crt \
!   -keyout server.key -subj "/CN=<replaceable>dbhost.yourdomain.com</replaceable>"
  </programlisting>
      Then do:
  <programlisting>
*************** chmod og-rwx server.key
*** 2406,2419 ****
     </para>
  
     <para>
!     A self-signed certificate can be used for testing, but a certificate
!     signed by a certificate authority (<acronym>CA</acronym>) (either one of the
!     global <acronym>CAs</acronym> or a local one) should be used in production
!     so that clients can verify the server's identity. If all the clients
!     are local to the organization, using a local <acronym>CA</acronym> is
!     recommended.
     </para>
  
    </sect2>
  
   </sect1>
--- 2407,2491 ----
     </para>
  
     <para>
!     While a self-signed certificate can be used for testing, a certificate
!     signed by a certificate authority (<acronym>CA</acronym>) (usually an
!     enterprise-wide root <acronym>CAs</acronym>) should be used in production.
!    </para>
! 
!    <para>
!     To create a server certificate whose identity can be validated
!     by clients, first create a certificate signing request
!     (<acronym>CSR</acronym>) and a public/private key file:
! <programlisting>
! openssl req -new -nodes -text -out root.csr \
!   -keyout root.key -subj "/CN=<replaceable>root.yourdomain.com</replaceable>"
! chmod og-rwx root.key
! </programlisting>
!     Then, sign the request with the the key to create a root certificate
!     authority:
! <programlisting>
! openssl x509 -req -in root.csr -text -days 3650 \
!   -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
!   -signkey root.key -out root.crt
! </programlisting>
!     Finally, create a server certificate signed by the new root certificate
!     authority:
! <programlisting>
! openssl req -new -nodes -text -out server.csr \
!   -keyout server.key -subj "/CN=<replaceable>dbhost.yourdomain.com</replaceable>"
! chmod og-rwx server.key
! 
! openssl x509 -req -in server.csr -text -days 365 \
!   -CA root.crt -CAkey root.key -CAcreateserial \
!   -out server.crt
! </programlisting>
!     <filename>server.crt</filename> and <filename>server.key</filename>
!     should be stored on the server, and <filename>root.crt</filename> should
!     be stored on the client so the client can verify that the server's leaf
!     certificate was signed by its trusted root certificate. 
!     <filename>root.key</filename> should be stored offline for use in
!     creating future certificates.
     </para>
  
+    <para>
+     It is also possible to create a chain of trust that includes
+     intermediate certificates:
+ <programlisting>
+ # root
+ openssl req -new -nodes -text -out root.csr \
+   -keyout root.key -subj "/CN=<replaceable>root.yourdomain.com</replaceable>"
+ chmod og-rwx root.key
+ openssl x509 -req -in root.csr -text -days 3650 \
+   -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
+   -signkey root.key -out root.crt
+ 
+ # intermediate
+ openssl req -new -nodes -text -out intermediate.csr \
+   -keyout intermediate.key -subj "/CN=<replaceable>intermediate.yourdomain.com</replaceable>"
+ chmod og-rwx intermediate.key
+ openssl x509 -req -in intermediate.csr -text -days 1825 \
+   -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
+   -CA root.crt -CAkey root.key -CAcreateserial \
+   -out intermediate.crt
+ 
+ # leaf
+ openssl req -new -nodes -text -out server.csr \
+   -keyout server.key -subj "/CN=<replaceable>dbhost.yourdomain.com</replaceable>"
+ chmod og-rwx server.key
+ openssl x509 -req -in server.csr -text -days 365 \
+   -CA intermediate.crt -CAkey intermediate.key -CAcreateserial \
+   -out server.crt
+ </programlisting>
+     <filename>server.crt</filename> and
+     <filename>intermediate.crt</filename> should be concatenated
+     into a certificate file bundle and stored on the server.
+     <filename>server.key</filename> should also be stored on the server.
+     <filename>root.crt</filename> should be stored on the client so
+     the client can verify that the server's leaf certificate was signed
+     by a chain of certificates linked to its trusted root certificate.
+     <filename>root.key</filename> and <filename>intermediate.key</filename>
+     should be stored offline for use in creating future certificates.
+    </para>
    </sect2>
  
   </sect1>

Reply via email to