Re: Correction of intermediate certificate handling

On Tue, Jan 16, 2018 at 10:23:44PM -0500, Bruce Momjian wrote:
> On Wed, Jan 17, 2018 at 09:09:50AM +0900, Michael Paquier wrote:
> > On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> > > On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
>
> I ended up merging the "chain of trust" changes into the "intermediate"
> patch since they affect adjacent sections of the docs. You can see this
> as the first attached patch.

Thanks. I looked at crt.diff and the surroundings in the docs. This one
looks consistent to me.

> > > > Perhaps the docs could also include an example of command to create a
> > > > root and an intermediate certificate in runtime.sgml or such?
> > >
> > > Yes, I have thought about that. My presentation has clear examples that
> > > we can use, again based on Stephen and David's scripts using v3_ca. I
> > > will work up a possible patch for that too.
> >
> > That too.
>
> I did that as a separate patch, which is the second attachment.

This is openssl.diff.

+ Then, sign the request with the the private key to create a root
+certificate authority:
s/the the/the/

+<programlisting>
+openssl req -new -nodes -text -out root.csr \
+ -keyout root.key -subj "/CN=<replaceable>root.yourdomain.com</replaceable>"
+chmod og-rwx root.key
+openssl x509 -req -in root.csr -text -days 365 \
+ -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
+ -signkey root.key -out root.crt
The succession of commands of commands for the intermediate certificates
is wild. Could it be possible to explain what each command means? Users
would not get lost this way.

> I don't think I will work on the testing changes.

Fine for me. This could do for a fine TODO item. Not one of those hard,
complicated and basically impossible things on the TODO list.
--
Michael