On 05/25/20 15:15, Chapman Flack wrote: > Does that mean it also would fail if I directly put the server's > end-entity cert there? > > Would I have to put all three of WE ISSUE TO ORGS LIKE YOURS, > WE ISSUE TO LOTS, and WE ISSUE TO EVERYBODY in the root.crt file > in order for verification to succeed? > > If I did that, would the effect be any different from simply putting > WE ISSUE TO EVERYBODY there, as before? Would it then happily accept > a cert with a chain that ended at WE ISSUE TO EVERYBODY via some other > path? Is there a way I can accomplish trusting only certs issued by > WE ISSUE TO ORGS LIKE YOURS?
The client library is the PG 10 one that comes with Ubuntu 18.04 in case it matters. I think I have just verified that I can't make it work by putting the end entity cert there either. It is back working again with only the WE ISSUE TO EVERYBODY cert there, but if there is a workable way to narrow that grant of trust a teensy little bit, I would be happy to do that. Regards, -Chap