"Magnus Hagander" <mha@sollentuna.net> writes:
> If you stick a root certificate (root.crt in ~/.postgresql) for it to
> validate against, it will be validated against that root. I'm not sure
> if it validates the common name of the cert though - that would be an
> issue if you're using a global CA. If you're using a local enterprise
> CA, that's a much smaller issue (because you yourself have total control
> over who gets certificates issued by the CA).
But in either case, it would only be checking that the cert had been
issued by that CA, no? Unless you set up a CA that only ever issues
certificates to your PG server, someone else with a cert from the CA
could still impersonate. Or am I mistaken about that?
regards, tom lane