Re: Trust intermediate CA for client certificates
| От | Tom Lane |
|---|---|
| Тема | Re: Trust intermediate CA for client certificates |
| Дата | |
| Msg-id | 1133.1362666517@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Trust intermediate CA for client certificates (Ian Pilcher <arequipeno@gmail.com>) |
| Ответы |
Re: Trust intermediate CA for client certificates
|
| Список | pgsql-general |
Ian Pilcher <arequipeno@gmail.com> writes:
> I am trying to configure PostgreSQL 8.4 to trust an intermediate CA for
> client certificate validation -- without trusting everything signed by
> the root CA (or a different intermediate CA). Given the following CA
> hierarchy, for example, I would like to trust *only* client certificates
> signed by the client CA.
> +---------+
> | Root CA |
> +---------+
> /\
> / \
> / \
> / \
> / \
> / \
> / \
> / \
> +-----------+ +-----------+
> | Server CA | | Client CA |
> +-----------+ +-----------+
> I expected that I could simply use the client CA certificate as
> $PGDATA/root.crt, but this does not work; I get an "unknown ca" error.
Maybe I'm missing something, but I don't see why you'd expect a
different result. That leaves you with no way to validate the server's
own certificate.
I think it might work to put both the server CA and client CA certs
(but not the root CA cert) into the server's root.crt.
regards, tom lane
В списке pgsql-general по дате отправления: