>> with root.crt and server.key, server.crt
>
> That should be harmless...
removed root.crl. the same effect
> Let me reexamine your original mail:
>
>> generating another key on server:
> [...]
>> signing on CA:
>> openssl req -x509 -in server.req -text -key our.key -out server.crt
>
> That's the problem, I think.
> With this statement you generate a self signed certificate from server.req
> (check with "openssl x509 -in server.crt -text -noout").
>
> What you need is a certificate signed by root.crt.
>
> You can do it like this:
>
> openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt
>
> See if that gets rid of the message!
another error appeared:
psql: SSL error: sslv3 alert bad certificate
so I started from beginning:
on CA:
openssl genrsa -out our.key 2048
creating self-signed serificate:
openssl req -new -key our.key -out our.req
openssl req -x509 -in our.req -text -key our.key -out root.crt
copied root.crt to client and postgres server
on server:
openssl genrsa -out server.key 2048
on CA:
openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key
-CAcreateserial -out server.crt
on client:
openssl genrsa -out postgresql.key 2048
openssl req -new -key postgresql.key -out cl.req
on CA:
openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key
-CAcreateserial -out postgresql.crt
files on client host:
postgresql.crt (signed by CA, -- root.crt)
postgresql.key (client private and public keys)
root.crt
files on postgresql server:
server.key (priv and pub keys)
server.crt (signed by root CA)
root.crt
stopped postgresql and started again
on client:
psql "dbname=me sslmode=require host=postgresql_host user=me"
psql: SSL error: sslv3 alert bad certificate
on server in logs:
postgres[29299]: [3-1] LOG: could not accept SSL connection: no
certificate returned
where I was wrong? : (
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
No comments:
Post a Comment