> > If you stick a root certificate (root.crt in ~/.postgresql)
> for it to
> > validate against, it will be validated against that root.
> I'm not sure
> > if it validates the common name of the cert though - that
> would be an
> > issue if you're using a global CA. If you're using a local
> enterprise
> > CA, that's a much smaller issue (because you yourself have total
> > control over who gets certificates issued by the CA).
>
> But in either case, it would only be checking that the cert
> had been issued by that CA, no? Unless you set up a CA that
> only ever issues certificates to your PG server, someone else
> with a cert from the CA could still impersonate. Or am I
> mistaken about that?
Correct. But if you run your own enterprise CA, that's exactly the kind
of thing you can make sure - that nobody else has a certificate from
that CA.
But no, it wouldn't be bad if there was a way to specify exactly which
cert is used. Or at least validate the common name of it agains the
hostname of the server.
//Magnus