Re: Trust intermediate CA for client certificates

* Ian Pilcher (arequipeno(at)gmail(dot)com) wrote:
> On 12/02/2013 03:15 PM, Stephen Frost wrote:
> > That isn't at *all* accurate. Authorization is handled by pg_ident and
> > PG's role and grant system. We are only using OpenSSL's trust of the
> > certificate for authentication.
>
> OK, how do I configure Postgres to only allow connections when the
> client presents a certificate signed by a particular intermediate CA?

You don't- but that's because the certificate trust chain isn't part of
the trust definition for certificates- which is a *certificate* thing
and hasn't got anything to do with PG. It would also make CA rollover
*extremely* painful, which is why people don't do it. You want your
intermediate CAs to have relatively short-lived times and if you start
codifying which intermediate CAs you trust, things get very ugly when
you need to bring a new intermediate CA online to replace the ageing
one and people start trying to access your service with certificates
signed off the new one.

Which certificate-based system allows you to do this? As I mentioned
up-thread, in the certificate realm (at least in the US government..),
this is handled through CA bridges between root CAs (there is no single
'US government' root CA).

Thanks,

Stephen