The following bug has been logged on the website:
Bug reference: 15137
Logged by: cocowalla
Email address: colin.anderson333+pgsql@gmail.com
PostgreSQL version: 10.2
Operating system: Debian
Description:
I've setup my own X509 CA for testing. If the `extendedKeyUsage` flags is
set to a custom OID in the CA certificate, Postgres is unable to verify any
client certificates.
I see this in the logs, and clients cannot connect:
Could not accept SSL connection: certificate verify failed
Sample openssl config snippet:
[ ca_extensions ]
basicConstraints = CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = keyCertSign,cRLSign,digitalSignature
extendedKeyUsage = 1.3.6.1.4.1.12345.1.2
And the command used to generate the CA:
openssl req -new -x509 -sha256 -subj
"/O=Acme/OU=Acme/emailAddress=support@acme.com/CN=MyCA" -keyout "CA.key"
-out "CA.crt" -days 7300 -newkey rsa:2048 -extensions ca_extensions