+++ /dev/null
-#
-# PostgreSQL sample configuration for *client* cert.
-# Contrast and compare with server.conf and root.conf.
-#
-
-####################################################################
-[ req ]
-default_bits = 1024
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-#x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-0.domainComponent = domain name (TLD)
-0.domainComponent_default = com
-0.domainComponent_min = 2
-0.domainComponent_max = 3
-
-1.domainComponent = domain name
-1.domainComponent_default = example
-1.domainComponent_min = 1
-1.domainComponent_max = 64
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Snake Oil
-
-# we can do this but it is not needed normally :-)
-#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = World Wide Web Pty Ltd
-
-#organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-
-commonName = Your name
-commonName_max = 64
-
-emailAddress = Email Address
-emailAddress_max = 40
-
-# SET-ex3 = SET extension number 3
-
-[ req_attributes ]
-pgName = PostgreSQL user name
-pgName_min = 1
-pgName_max = 12
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-#nsComment = "OpenSSL Generated Certificate"
-nsComment = "PostgreSQL/OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-subjectAltName=email:copy
-subjectAltName=pgName
-
-# Copy subject details
-issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
+++ /dev/null
-#!/bin/sh
-
-# === FIRST DRAFT ===
-
-PG_HOME=/var/lib/postgres
-PG_DATA=$PG_HOME/data
-
-# default password for CA key
-PASSWORD=postgresql
-
-#
-# this script creates the root (CA) certificate and
-# server cert for PostgreSQL. The OpenSSL applications
-# must be in the path.
-#
-
-if [ $PG_HOME"." = "." -o $PG_DATA"." = "." ]
-then
- /bin/echo You must define \$PG_HOME and \$PG_DATA before running this program.
- exit 0
-fi
-
-#
-# generate DSA parameters file used for keys, if one does
-# not already exist.
-#
-if [ ! -f $PG_HOME/dsa1024.pem -o -z $PG_HOME/dsa1024.pem ]
-then
- openssl dsaparam -out $PG_HOME/dsa1024.pem 1024
-fi
-
-#
-# generate CA directory tree and contents, if it does not already
-# exist.
-#
-if [ ! -d $PG_HOME/CA ]
-then
- /bin/mkdir $PG_HOME/CA;
-fi
-if [ ! -d $PG_HOME/CA/certs ]
-then
- /bin/mkdir $PG_HOME/CA/certs
-fi
-if [ ! -d $PG_HOME/CA/crl ]
-then
- /bin/mkdir $PG_HOME/CA/crl
-fi
-if [ ! -d $PG_HOME/CA/newcerts ]
-then
- /bin/mkdir $PG_HOME/CA/newcerts
-fi
-if [ ! -d $PG_HOME/CA/private ]
-then
- /bin/mkdir $PG_HOME/CA/private
- /bin/chmod 0700 $PG_HOME/CA/private
-fi
-if [ ! -f $PG_HOME/CA/index.txt ]
-then
- /usr/bin/touch $PG_HOME/CA/index.txt
-fi
-if [ ! -f $PG_HOME/CA/serial ]
-then
- /bin/echo 01 > $PG_HOME/CA/serial
-fi
-
-#
-# generate root key, if one does not already exist.
-#
-if [ ! -f $PG_HOME/CA/private/cakey.pem -o -z $PG_HOME/CA/private/cakey.pem ]
-then
- openssl gendsa $PG_HOME/dsa1024.pem |\
- openssl pkcs8 -topk8 -v2 bf -out $PG_HOME/CA/private/cakey.pem
- /bin/chmod 0700 $PG_HOME/CA/private/cakey.pem
-fi
-
-#
-# generate self-signed root certificate, if one does not already exist
-#
-if [ ! -f $PG_HOME/CA/cacert.pem -o -z $PG_HOME/CA/cacert.pem ]
-then
- /bin/echo "Creating the root certificate...."
- /bin/echo ""
- openssl req -new -x509 -out $PG_HOME/CA/cacert.pem \
- -key $PG_HOME/CA/private/cakey.pem \
- -config $PG_HOME/root.conf
- link -s $PG_HOME/CA/cacert.pem $PG_DATA/root.crt
-fi
-
-#
-# generate server key, if one does not already exist.
-#
-if [ ! -f $PG_DATA/server.key -o -z $PG_DATA/server.key ]
-then
- openssl gendsa -out $PG_DATA/server.key $PG_HOME/dsa1024.pem
- /bin/chmod 0700 $PG_HOME/CA/private/cakey.pem
-fi
-
-#
-# generate server certificate, if one does not already exist.
-#
-if [ ! -f $PG_DATA/server.crt -o -z $PG_DATA/server.crt ]
-then
- /bin/echo "Creating the PostgreSQL server certificate...."
- /bin/echo ""
- openssl req -new -x509 -out $PG_DATA/server.self \
- -key $PG_DATA/server.key \
- -config $PG_HOME/server.conf
- if [ -f $PG_DATA/server.self ]
- then
- openssl ca -out $PG_DATA/server.crt -ss_cert $PG_DATA/server.self \
- -config $PG_HOME/root.conf -extensions svr_cert
- /bin/rm -f $PG_DATA/server.self
- fi
-fi
+++ /dev/null
-#!/bin/sh
-
-echo \$HOME = $HOME
-
-CLIENTDIR=$HOME/.postgresql
-
-#
-# copy root certificate, if necessary
-#
-if [ ! -f $CLIENTDIR/root.crt -o -z $CLIENTDIR/root.crt ]
-then
- if [ -f /etc/postgresql/root.crt ]
- then
- /bin/cp -p /etc/postgresql/root.crt $CLIENTDIR
- fi
-fi
-
-#
-# generate client key, if one does not already exist.
-#
-if [ ! -f $CLIENTDIR/postgresql.key -o -z $CLIENTDIR/postgresql.key ]
-then
- if [ ! -f /etc/postgresql/dsa1024.pem -o -z /etc/postgresql/dsa1024.pem ]
- then
- /bin/echo "You must get the dsa1024.pem file from your DBA."
- exit 0
- fi
- openssl gendsa /etc/postgresql/dsa1024.pem |\
- openssl pkcs8 -topk8 -v2 bf -out $CLIENTDIR/postgresql.key
- /bin/chmod 0600 $CLIENTDIR/postgresql.key
-fi
-
-#
-# generate client SS certificate, if one does not already exist.
-#
-if [ ! -f $CLIENTDIR/postgresql.crt -o -z $CLIENTDIR/postgresql.crt ]
-then
- if [ ! -f $CLIENTDIR/postgresql.pem -o -z $CLIENTDIR/postgresql.pem ]
- then
- /bin/echo "Creating client certificate...."
- /bin/echo ""
- openssl req -new -x509 -out $CLIENTDIR/postgresql.pem \
- -key $CLIENTDIR/postgresql.key -config /etc/postgresql/client.conf
- /bin/echo ""
- /bin/cat << EOM
-
-You must now provide a copy of your ~/.postgresql/postgresql.pem file
-to your DBA for them to sign. When they have done so, you should rerun
-this application.
-EOM
- else
- cp -p $CLIENTDIR/postgresql.pem $CLIENTDIR/postgresql.crt
- fi
-fi
+++ /dev/null
-#
-# PostgreSQL sample configuration for *root* cert.
-# Contrast and compare with server.conf and client.conf.
-#
-
-# define something in case $PG_HOME isn't defined.
-PG_HOME = /var/lib/postgres
-
-####################################################################
-[ ca ]
-default_ca = CA_default # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir = $ENV::PG_HOME/CA # Where everything is kept
-certs = $dir/certs # Where the issued certs are kept
-crl_dir = $dir/crl # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-new_certs_dir = $dir/newcerts # default place for new certs.
-
-certificate = $dir/cacert.pem # The CA certificate
-serial = $dir/serial # The current serial number
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/private/cakey.pem# The private key
-RANDFILE = $dir/private/.rand # private random number file
-
-x509_extensions = clnt_cert # The extentions to add to the cert
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crl_extensions = crl_ext
-
-default_days = 365 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = sha1 # which md to use.
-preserve = no # keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy = policy_match
-
-# For the CA policy
-[ policy_match ]
-domainComponent = match
-#1.domainComponent = match
-#organizationName = match
-#organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-domainComponent = optional
-#1.domainComponent = optional
-#countryName = optional
-#stateOrProvinceName = optional
-#localityName = optional
-#organizationName = optional
-#organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-####################################################################
-[ req ]
-default_bits = 1024
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-0.domainComponent = domain name (TLD)
-0.domainComponent_default = com
-0.domainComponent_min = 2
-0.domainComponent_max = 3
-
-1.domainComponent = domain name
-1.domainComponent_default = example
-1.domainComponent_min = 1
-1.domainComponent_max = 64
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Snake Oil
-
-# we can do this but it is not needed normally :-)
-#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = World Wide Web Pty Ltd
-
-#organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-
-commonName = Common Name
-commonName_value = PostgreSQL Root Cert
-#commonName_max = 64
-
-emailAddress = Email Address
-emailAddress_default = postgres@example.com
-emailAddress_max = 40
-
-# SET-ex3 = SET extension number 3
-
-[ req_attributes ]
-
-[ svr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-#nsComment = "OpenSSL Generated Certificate"
-nsComment = "PostgreSQL/OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-subjectAltName=email:copy
-
-# Copy subject details
-issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ clnt_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-#nsComment = "OpenSSL Generated Certificate"
-nsComment = "PostgreSQL/OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-subjectAltName=email:copy
-
-# Copy subject details
-issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-# Extensions for a typical CA
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer:always
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-subjectAltName=email:copy
-# Copy issuer details
-issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
+++ /dev/null
-#
-# PostgreSQL sample configuration for *server* cert.
-# Contrast and compare with root.conf and client.conf.
-#
-
-####################################################################
-[ req ]
-default_bits = 1024
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-#x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-0.domainComponent = domain name (TLD)
-0.domainComponent_default = com
-0.domainComponent_min = 2
-0.domainComponent_max = 3
-
-1.domainComponent = domain name
-1.domainComponent_default = example
-1.domainComponent_min = 1
-1.domainComponent_max = 64
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Snake Oil
-
-# we can do this but it is not needed normally :-)
-#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = World Wide Web Pty Ltd
-
-#organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-
-commonName = FQDN of server
-commonName_default = postgres.example.com
-commonName_max = 64
-
-emailAddress = Email Address
-emailAddress_default = postgres@example.com
-emailAddress_max = 40
-
-# SET-ex3 = SET extension number 3
-
-[ req_attributes ]
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-#nsComment = "OpenSSL Generated Certificate"
-nsComment = "PostgreSQL/OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-subjectAltName=email:copy
-
-# Copy subject details
-issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-