On Mon, Dec 2, 2013 at 04:17:57PM -0500, Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
> > Sorry, I should have said:
>
> > Tom is saying that for his openssl version, a client that passed
> > an intermediate certificate had to supply a certificate _matching_
> > something in the remote root.crt, not just signed by it.
>
> > At least I think that was the issue, rather than requiring the client to
> > supply a "root" certificate, meaning the client can supply an
> > intermediate or root certificicate, as long as it appears in the
> > root.crt file on the remote end.
>
> As far as the server is concerned, anything listed in its root.crt *is* a
> trusted root CA. Doesn't matter if it's a child of some other CA.
Uh, the original poster complained that he couldn't put _just_ an
intermediate certificate in root.crt and have it work:
http://www.postgresql.org/message-id/kh90q0$tv8$1@ger.gmane.orgI expected that I could simply use the client CA
certificateas$PGDATA/root.crt, but this does not work; I get an "unknown ca" error.AFAICT, there is absolutely no way
tomake PostgreSQL trust a CA that isnot a self-signed root CA.
I am confused.
> The issue is that the client's cert has to be linked to some element of
> root.crt somehow. In principle you'd think that if the client provides
> an intermediate CA cert, the server should be able to match that to
> whichever root.crt member signed it, but that wasn't what I saw
> happening. It'd be good for someone who uses SSL more than I do to
> replicate the experiment, though. It's not impossible that I screwed up.
Agreed. Anyone? I can try, but I am a novice.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ Everyone has their own god. +