From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Ian Pilcher <arequipeno(at)gmail(dot)com>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Trust intermediate CA for client certificates |
Date: | 2013-12-02 21:12:13 |
Message-ID: | 20131202211213.GS17272@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> On Mon, Dec 2, 2013 at 03:57:45PM -0500, Andrew Dunstan wrote:
> >
> > On 12/02/2013 03:44 PM, Tom Lane wrote:
> > >Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > >>Let me ask a simple question --- can
> > >>you put only the client cert on the client (postgresql.crt) and only the
> > >>root cert on the server (root.crt), and will it work?
> > >Yes, that's surely always worked.
> >
> > Not if the client has been signed by an intermediate CA, surely.
> > Either the server must have the intermediate CA cert in its root.crt
> > or the client must supply it along with the end cert.
>
> Right. Tom is saying that for his openssl version, he had to have the
> client supply a certificate _matching_ something in the remote root.crt,
> not just signed by it.
Err, no.. That's not right.
The client certificate needs to be *signed* by the root certificate, or
by an intermediate which is signed by the root and is available to the
server for verification.
The client certificate does *not* need to exist in the root.crt...
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2013-12-02 21:12:17 | Re: Trust intermediate CA for client certificates |
Previous Message | Stephen Frost | 2013-12-02 21:09:17 | Re: Trust intermediate CA for client certificates |
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2013-12-02 21:12:17 | Re: Trust intermediate CA for client certificates |
Previous Message | Stephen Frost | 2013-12-02 21:09:17 | Re: Trust intermediate CA for client certificates |