Good Day
I'm trying to setup SSL auth.
creating CA:
openssl genrsa -out our.key 2048
openssl req -new -key our.key -out our.req
openssl req -x509 -in our.req -text -key our.key -out root.crt
then I copy root.crt on postgresql host and to client host in ~/.postgresql
generating another key on server:
openssl genrsa -out server.key 2048
then request for signing to CA:
openssl req -new -key server.key -out server.req
signing on CA:
openssl req -x509 -in server.req -text -key our.key -out server.crt
now in postgresql data dir following files:
server.crt
server.key
root.crt
and blank root.crl
on client host:
cd ~/.postgresql
openssl genrsa -out postgresql.key 2048
then signing with our.key on CA and placing postgresql.crt, root.crt
to ~/.postgresql
This is my picture of what is happening:
1. we using our CA public key to generate root.crt:
root_signature = ca_pub_key**ca_priv_key % n
2. on postgres server creating key-pair and signing public key on CA, receiving
server_signature (server.crt):
server_signature = server_pub_key**root_priv_key % n
Client using server_signature before encrypting and sending message to server:
server_pub_key = server_signature**root_pub_key % n
if server_pub_key is valid then user encrypting message with server_pub_key.
3. Client generating his own key-pair and asking our CA to sign his public key.
client_signature = client_pub_key**ca_priv_key % n
client_signature he writing to postgresql.crt, which server using when
sending something
to client:
client_pub_key = client_signature**root_pub_key % n
If everything is correct, than why psql complaining:
psql "dbname=me sslmode=require host=postgres_server user=me"
psql: SSL error: certificate verify failed
log on postgres_server:
postgres[98462]: [3-1] LOG: could not accept SSL connection: tlsv1
alert unknown ca
P.S. postgres-8.2 on freebsd
postgresql-client-8.2 on debian