Re: Correction of intermediate certificate handling

On Wed, Jan 17, 2018 at 07:34:42AM -0500, Bruce Momjian wrote:
> On Wed, Jan 17, 2018 at 05:20:00PM +0900, Michael Paquier wrote:
> > The succession of commands of commands for the intermediate certificates
> > is wild. Could it be possible to explain what each command means? Users
> > would not get lost this way.
>
> Yes, I was not happy about that either. I was afraid that pound-sign
> comments would look like root prompts but I just added them and they
> look fine. Updated patch attached, with some expiration and wording
> adjustments. There is also a new paragraph at the end explaining where
> to place the files.

Thanks, that's a net improvement. So +1 for this version.

+ enterprise-wide root <acronym>CAs</acronym>) should be used in production.
Nit here. CA should not be plural.

+</programlisting>
+ Then, sign the request with the the key to create a root certificate
+ authority:
You still have a "the the" here.

/etc/ssl/openssl.cnf is not available on macos or Windows, which can
lead to a bit of confusion as I would imagine that people would
copy/paste such commands when testing things. Perhaps it would be worth
mentioning that this path is proper to usual Linux distributions (I can
see it at least on ArchLinux and Debian), with a reference to this
OpenSSL link:
https://www.openssl.org/docs/manmaster/man5/config.html

There is as well a set of tiny configuration files in src/test/ssl.
--
Michael