Hello,
I was looking for a way to provide multiple independent trusted certificates to the jdbc driver. I came across the parameter sslrootcert. This parameter is documented as:
"File name of the SSL root certificate. Defaults to defaultdir/root.crt
It can be a PEM encoded X509v3 certificate"
The wording indicates that this parameter accepts only one single certificate in defauldir/root.crt (or the file to which sslrootcert points to). However, according to the code which is used to build the java KeyStore it accepts more than one certificate (as LibPQFactory calls java.security.cert.CertificateFactory.generateCertificates(InputStream)). Similar to the sslrootcert parameter for libpq the file may contain multiple (even independent, i.e. they don't need to build a single chain) concatenated PEM encoded certificates.
The documentation for sslrootcert in libpq states:
"
This parameter specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. The default is ~/.postgresql/root.crt "
In my opinion adapting the wording in the documentation for sslrootcert in the jdbc driver documentation and allow multiple certificates stored in the file to which sslrootcert points to makes it also more compatible with sslrootcert of libpq.
If my understanding is correct I'm happy to enter an issue or open a PR
Regards,
Christian Schaefer