I found a solution to the problem, which I’l send here to help those
who find the original email via search.
The intermediate CRL file must be concatenated to CRL files going back
to the root CA.
On 26 Feb 2017, at 15:42, Frazer McLean wrote:
> Hi,
>
> I was trying to set up PostgreSQL to use a certificate revocation list
> so I could revoke client certificates, but was unable to get it to
> work.
>
> I was following [this tutorial][1] to create root and intermediate CA
> certificates, then producing certificates for the PostgreSQL server
> and client.
>
> I have created a [Dockerfile][2] which shows the problem. The short
> story is that with the CRL I’ve created in PEM format, a client
> certificate is rejected with error “psql: SSL error: tlsv1 alert
> unknown ca”. If I don’t set ssl_crl_file, the client certificate
> is accepted.
>
> I tested on 9.4-9.6. I tried to find examples about using ssl_crl_file
> but wasn’t able to find anything. I found [this message][3] from
> 2014 without any replies.
>
> [1]:
> https://jamielinux.com/docs/openssl-certificate-authority/index.html
> [2]: https://github.com/RazerM/postgres_crl_test
> [3]: https://postgrespro.com/list/thread-id/1163456
>
> Kind regards,
>
> Frazer McLean
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general