|
1 | 1 | <!-- |
2 | | -$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.42 2000/12/17 11:22:00 petere Exp $ |
| 2 | +$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.43 2000/12/21 19:08:05 momjian Exp $ |
3 | 3 | --> |
4 | 4 |
|
5 | 5 | <Chapter Id="runtime"> |
@@ -1823,26 +1823,31 @@ set semsys:seminfo_semmsl=32 |
1823 | 1823 | <para> |
1824 | 1824 | For details on how to create your server private key and certificate, |
1825 | 1825 | refer to the <productname>OpenSSL</> documentation. A simple self-signed |
1826 | | - certificate can be used to get started testing, but a certificate signed |
| 1826 | + certificate can be used to get startedfortesting, but a certificate signed |
1827 | 1827 | by a CA (either one of the global CAs or a local one) should be used in |
1828 | 1828 | production so the client can verify the servers identity. To create |
1829 | | - a quick self-signed certificate, use the <filename>CA.pl</filename> |
1830 | | - script included in OpenSSL: |
1831 | | -<programlisting> |
1832 | | -CA.pl -newcert |
1833 | | -</programlisting> |
1834 | | - Fill out the information the script asks for. Make sure to enter |
1835 | | - the local host name as Common Name. The script will generate a key |
1836 | | - that is passphrase protected. To remove the passphrase (required |
1837 | | - if you want automatic start-up of the postmaster), run the command |
1838 | | -<programlisting> |
1839 | | -openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem |
1840 | | -</programlisting> |
1841 | | - Enter the old passphrase to unlock the existing key. Copy the file |
1842 | | - <filename>newreq.pem</> to <filename><replaceable>PGDATA</>/server.crt</> |
1843 | | - and <filename>newkey_no_passphrase.pem</> to |
1844 | | - <filename><replaceable>PGDATA</>/server.key</>. Remove the PRIVATE KEY part |
1845 | | - from the <filename>server.crt</filename> using any text editor. |
| 1829 | + a quick self-signed certificate, use the following OpenSSL command: |
| 1830 | + <programlisting> |
| 1831 | + openssl req -new -text -out cert.req |
| 1832 | + </programlisting> |
| 1833 | + Fill out the information that openssl asks for. Make sure that you enter |
| 1834 | + the local host name as Common Name; the challenge password can be |
| 1835 | +left blank. The script will generate a key that is passphrase protected; |
| 1836 | +it will not accept a pass phrase that is less than four characters long. |
| 1837 | +To remove the passphrase (as you must if you want automatic start-up of |
| 1838 | +the postmaster), run the commands |
| 1839 | + <programlisting> |
| 1840 | + mv privkey.pem cert.pem.pw |
| 1841 | + openssl rsa -in cert.pem.pw -out cert.pem |
| 1842 | + </programlisting> |
| 1843 | + Enter the old passphrase to unlock the existing key. Now do |
| 1844 | + </programlisting> |
| 1845 | + openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert |
| 1846 | + cp cert.pem $PGDATA/server.key |
| 1847 | + cp cert.cert $PGDATA/server.crt |
| 1848 | + </programlisting> |
| 1849 | + to turn the certificate into a self-signed certificate and to copy the |
| 1850 | +key and certificate to where the postmaster will look for them. |
1846 | 1851 | </para> |
1847 | 1852 | </sect1> |
1848 | 1853 |
|
|