> If the libpq root.crt file can be made to work similarly to a > Java trustStore, that expands the possible solution space.
If I understand you correctly, you want a file in which you drop any of these intermediate CA's cert in, causing the server to trust a cert emitted by that CA -- regardless of that CA being actually root.
I think he wants only certificates signed by the specific intermediate certificate to be trusted.
I just had an idea: would it work to create a self-signed root certificate, put it in root.crt, and then use it to sign the intermediate certificate?
You can't use other people's certificates to sign your certificates, and it's not usual to sign other people's intermediate certificates, but as far as I can tell there is no reason you can't.