On Tue, Feb 28, 2017 at 10:50:02PM +0100, Frazer McLean wrote:
> On 28 Feb 2017, at 21:51, Bruce Momjian wrote:
> >I have researched this and will post a blog and and document the fix in
> >the next few months. The reason you have to supply the entire
> >certificate chain to the root CA on the client is because you have not
> >used the "-extensions v3_ca" flag to openssl when creating the CA x509
> >request. You have to mark the certificates as CAs so they are passed
> >from the server to the client. You are looking for the CA certificates
> >to say:
> >
> > X509v3 Basic Constraints:
> > CA:TRUE
> >
>
> My `ca.cert.pem` file has
>
> X509v3 Basic Constraints: critical
> CA:TRUE
>
> The `intermediate.cert.pem` has
>
> X509v3 Basic Constraints: critical
> CA:TRUE, pathlen:0
>
> This intermediate cert was generated using the `v3_intermediate_ca`
> extension defined in [1]. I wouldn’t expect *not* to have to give the full
> certificate chain to the client, since both were created by me.
>
> To summarise my problem and solution: the connection worked fine until
> `ssl_crl_file` was enabled. I was trying to use a CRL generated from the
> intermediate CA, assuming PostgreSQL would trust it since it knows about the
> full CA chain in `ssl_ca_file`. Apparently, it must be a CRL generated from
> the root concatenated to a CRL generated from the intermediate, and then it
> works.
Oh, OK, that is beyond my understanding. Thanks.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +