Bruce Momjian <br...@momjian.us> writes: > Yes, this was my understanding. Let me ask a simple question --- can > you put only the client cert on the client (postgresql.crt) and only the > root cert on the server (root.crt), and will it work?
Yes, that's surely always worked. > I think Tom's question is whether OpenSSL will read through all the > entries in root.crt and find the one that signed the remote cert, and > has it always done that, i.e. does the remote side have to provide the > upper-level cert to match against. My point is specifically that it didn't seem to work when the client cert file includes an intermediate CA cert, but not a full path to a trusted root cert. (Note that anything in the server's root.crt file is a trusted root cert so far as the server is concerned --- it doesn't matter if it's a child of some other CA.) > One big thing I learned from this is that the local root.crt is only > used to verify remote certificates; it isn't related to how the remote > end verifies your certificate. Now, in most cases, the root.crt is > identical for clients and servers, but it doesn't have to be. Yes, we were already explaining that in the existing docs. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers