On Tue, 2 Jun 2020 at 20:14, Bruce Momjian <bruce@momjian.us> wrote:
The server certificate should be issued by a certificate authority root outside of your organization only if you want people outside of your organization to trust your server certificate, but you are then asking for the client to only trust an intermediate inside your organization. The big question is why bother having the server certificate chain to a root certificat you don't trust when you have no intention of having clients outside of your organization trust the server certificate. Postgres could be made to handle such cases, but is is really a valid configuration we should support?
I think the "why" the org cert is not root was already made clear, that is the copmany policy. I don't think postgres should take a stance whether the certificate designated as the root of trust is self-signed or claims to get its power from somewhere else.
It's pretty easy to conceive of certificate management procedures that make use of this chain to implement certificate replacement securely. For example one might trust the global issuer to verify that a CSR is coming from the O= value that it's claiming to come from to automate replacement of intermediate certificates, but not trust that every other sub-CA signed by root and their sub-sub-CA-s are completely honest and secure.