>
> I personally haven't tired SSL for PostgreSQL but, I think, You should
> put in root.crt only intermediate certificate (C1 - from prev post), so
> all and only all "sub-certs" of intermediate CA will be able to
> establish connection (paranoic security).
>
> Putting intermediate CAs as trusted in Java keystore may be solution,
> but I'm not sure if in situation of cert invalidation, such cert will be
> rejected.
>
> If you want to write SSL Factory, you should re-implement KeyManager
> only, to give ability of extended search.
>
> Regards,
> Radek
>
I have already tried with only C1 in root.crt but unfortunately it does not work. I get error message that cert is
invalid.It seems that chained CA's are not supported in a way we would like to have it done. I would prefer to have
numberof trusted certs in root.crt limited as much as possible, but as I said it does not work.
About Java, I would need to analyze the libpq code and implement KeyManager in a similar way - this is surely possible
butnot necessarily preferred solution ;-)
Kind regards,
Joanna