A few years ago I figured out how to create intermediate certificates
that are transferred across OpenSSL connections by using the v3_ca
extension, and added this to the PG documentation.
I have now just figured out that v3_ca is just a heading in the openssl
configuration file, e.g., /etc/ssl/openssl.cnf, and that it is
specifically this line that enables this to work:
basicConstraints = critical,CA:true
I have created the attached documentation patch to clarify exactly what
is needed, in case non-openssl tools are used.
--
Bruce Momjian <br...@momjian.us> https://momjian.us
EnterpriseDB https://enterprisedb.com
The usefulness of a cup is in its emptiness, Bruce Lee
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index c8698898f3..f705c4fec1 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2194,7 +2194,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
can also be appended to the file. Doing this avoids the necessity of
storing intermediate certificates on clients, assuming the root and
intermediate certificates were created with <literal>v3_ca</literal>
- extensions. This allows easier expiration of intermediate certificates.
+ extensions (which sets <literal>CA:TRUE</literal> on certificates).
+ This allows easier expiration of intermediate certificates.
</para>
<para>
