After sending below to pgsql-docs, I noticed if I follow the step described in the doc[1], generated root.crt lacks below.
X509v3 extensions: X509v3 Subject Key Identifier: 3B:16:EA:86:0B:7C:E4:7A:16:F2:4E:54:F5:9C:0E:0F:38:02:8C:CF X509v3 Authority Key Identifier: keyid:3B:16:EA:86:0B:7C:E4:7A:16:F2:4E:54:F5:9C:0E:0F:38:02:8C:CF X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption This is present if I use command[2]: > openssl req -new -x509 -nodes -text -days 3650 \ > -config /etc/ssl/openssl.cnf -extensions v3_ca \ > -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com" I wonder if this is normal or not. Best regards, -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese:http://www.sraoss.co.jp From: Tatsuo Ishii <is...@sraoss.co.jp> Subject: Creating Certificates Date: Sat, 06 Oct 2018 08:17:04 +0900 (JST) Message-ID: <20181006.081704.1372328430253415862.t-is...@sraoss.co.jp> > In "18.9.3. Creating Certificates", > > ------------------------------------------------------------------ [1] > To create a server certificate whose identity can be validated by > clients, first create a certificate signing request (CSR) and a > public/private key file: > > openssl req -new -nodes -text -out root.csr \ > -keyout root.key -subj "/CN=root.yourdomain.com" > chmod og-rwx root.key > > Then, sign the request with the key to create a root certificate > authority (using the default OpenSSL configuration file location on > Linux): > > openssl x509 -req -in root.csr -text -days 3650 \ > -extfile /etc/ssl/openssl.cnf -extensions v3_ca \ > -signkey root.key -out root.crt > ------------------------------------------------------------------ > > For me it seesm the two-step procedure can be replaced with following > one command: > [2] > openssl req -new -x509 -nodes -text -days 3650 \ > -config /etc/ssl/openssl.cnf -extensions v3_ca \ > -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com" > > Is there any reaon why our doc recommend the two-step procedure? > > Best regards, > -- > Tatsuo Ishii > SRA OSS, Inc. Japan > English: http://www.sraoss.co.jp/index_en.php > Japanese:http://www.sraoss.co.jp >