Re: How to setup chained CA?

ChoonSoo Park <luispark@gmail.com> writes:
> Then I tried to test more complex thing - chained CA.

> Scenario 1. Postgresql having server.crt signed by Root CA and one of
> clients having postgresql.crt signed by intermediate CA.

> Machine 1: Created a new intermediate CA (ra.crt) signed by root
> certificate. Created a new client certificate signed by the intermediate CA.
>                  Concatenated root CA & intermediate CA using
>                             openssl x509 -text -in root.crt > newroot.crt
>                             openssl x509 -text -in ra.crt >> newroot.crt

Not an SSL expert, but my recollection is that the order of the certs in
the file is significant, and this order is the wrong one: root cert goes
last.  Moreover, root.crt should basically only contain the trusted root
cert.  The chains of intermediate certs (plus a copy of the root cert)
belong in server.crt and the client-side postgresql.cert.  Not terribly
good design, probably, but you'd have to take that up with the openssl
folk not us.

FWIW, I *have* tested chained certs, and they do work for me per the
documentation; or at least did the last time I tried it about two years
ago.

            regards, tom lane