Hello,
It is currently only possible to authenticate clients using certificates with the CN.
I would like to propose that the field used to identify the client is configurable, e.g. being able to specify DN as the appropriate field. The reason being is that in some organisations, where you might want to use the corporate PKI, but where the CN of such certificates is not controlled.
In my case, the DN of our corporate issued client certificates is controlled and derived from AD groups we are members of. Only users in those groups can request client certificates with a DN that is equal to the AD group ID. This would make DN a perfectly suitable drop-in replacement for Postgres client certificate authentication, but as it stands it is not possible to change the field used.
Best regards,
George