From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Ian Pilcher <arequipeno(at)gmail(dot)com>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Trust intermediate CA for client certificates |
Date: | 2013-12-02 20:44:18 |
Message-ID: | 21703.1386017058@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
Bruce Momjian <bruce(at)momjian(dot)us> writes:
> Yes, this was my understanding. Let me ask a simple question --- can
> you put only the client cert on the client (postgresql.crt) and only the
> root cert on the server (root.crt), and will it work?
Yes, that's surely always worked.
> I think Tom's question is whether OpenSSL will read through all the
> entries in root.crt and find the one that signed the remote cert, and
> has it always done that, i.e. does the remote side have to provide the
> upper-level cert to match against.
My point is specifically that it didn't seem to work when the client cert
file includes an intermediate CA cert, but not a full path to a trusted
root cert. (Note that anything in the server's root.crt file is a trusted
root cert so far as the server is concerned --- it doesn't matter if it's
a child of some other CA.)
> One big thing I learned from this is that the local root.crt is only
> used to verify remote certificates; it isn't related to how the remote
> end verifies your certificate. Now, in most cases, the root.crt is
> identical for clients and servers, but it doesn't have to be.
Yes, we were already explaining that in the existing docs.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2013-12-02 20:46:26 | Re: Trust intermediate CA for client certificates |
Previous Message | Bruce Momjian | 2013-12-02 20:38:08 | Re: Trust intermediate CA for client certificates |
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2013-12-02 20:44:46 | Re: Extension Templates S03E11 |
Previous Message | Bruce Momjian | 2013-12-02 20:38:08 | Re: Trust intermediate CA for client certificates |