* Bruce Momjian (br...@momjian.us) wrote:
> On Mon, Dec  2, 2013 at 03:57:45PM -0500, Andrew Dunstan wrote:
> > 
> > On 12/02/2013 03:44 PM, Tom Lane wrote:
> > >Bruce Momjian <br...@momjian.us> writes:
> > >>Let me ask a simple question --- can
> > >>you put only the client cert on the client (postgresql.crt) and only the
> > >>root cert on the server (root.crt), and will it work?
> > >Yes, that's surely always worked.
> > 
> > Not if the client has been signed by an intermediate CA, surely.
> > Either the server must have the intermediate CA cert in its root.crt
> > or the client must supply it along with the end cert.
> Right.  Tom is saying that for his openssl version, he had to have the
> client supply a certificate _matching_ something in the remote root.crt,
> not just signed by it.

Err, no..  That's not right.

The client certificate needs to be *signed* by the root certificate, or
by an intermediate which is signed by the root and is available to the
server for verification.

The client certificate does *not* need to exist in the root.crt...



Attachment: signature.asc
Description: Digital signature

Reply via email to