On Mon, Dec 2, 2013 at 04:17:57PM -0500, Tom Lane wrote: > Bruce Momjian <br...@momjian.us> writes: > > Sorry, I should have said: > > > Tom is saying that for his openssl version, a client that passed > > an intermediate certificate had to supply a certificate _matching_ > > something in the remote root.crt, not just signed by it. > > > At least I think that was the issue, rather than requiring the client to > > supply a "root" certificate, meaning the client can supply an > > intermediate or root certificicate, as long as it appears in the > > root.crt file on the remote end. > > As far as the server is concerned, anything listed in its root.crt *is* a > trusted root CA. Doesn't matter if it's a child of some other CA.
Uh, the original poster complained that he couldn't put _just_ an intermediate certificate in root.crt and have it work: http://www.postgresql.org/message-id/kh90q0$tv8$1...@ger.gmane.org I expected that I could simply use the client CA certificate as $PGDATA/root.crt, but this does not work; I get an "unknown ca" error. AFAICT, there is absolutely no way to make PostgreSQL trust a CA that is not a self-signed root CA. I am confused. > The issue is that the client's cert has to be linked to some element of > root.crt somehow. In principle you'd think that if the client provides > an intermediate CA cert, the server should be able to match that to > whichever root.crt member signed it, but that wasn't what I saw > happening. It'd be good for someone who uses SSL more than I do to > replicate the experiment, though. It's not impossible that I screwed up. Agreed. Anyone? I can try, but I am a novice. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers