Ian Pilcher <arequipeno@gmail.com> writes:
> I am trying to configure PostgreSQL 8.4 to trust an intermediate CA for
> client certificate validation -- without trusting everything signed by
> the root CA (or a different intermediate CA). Given the following CA
> hierarchy, for example, I would like to trust *only* client certificates
> signed by the client CA.
> +---------+
> | Root CA |
> +---------+
> /\
> / \
> / \
> / \
> / \
> / \
> / \
> / \
> +-----------+ +-----------+
> | Server CA | | Client CA |
> +-----------+ +-----------+
> I expected that I could simply use the client CA certificate as
> $PGDATA/root.crt, but this does not work; I get an "unknown ca" error.
Maybe I'm missing something, but I don't see why you'd expect a
different result. That leaves you with no way to validate the server's
own certificate.
I think it might work to put both the server CA and client CA certs
(but not the root CA cert) into the server's root.crt.
regards, tom lane