| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Ian Pilcher <arequipeno(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Trust intermediate CA for client certificates |
| Date: | 2013-03-07 14:28:37 |
| Message-ID: | 1133.1362666517@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
Ian Pilcher <arequipeno(at)gmail(dot)com> writes:
> I am trying to configure PostgreSQL 8.4 to trust an intermediate CA for
> client certificate validation -- without trusting everything signed by
> the root CA (or a different intermediate CA). Given the following CA
> hierarchy, for example, I would like to trust *only* client certificates
> signed by the client CA.
> +---------+
> | Root CA |
> +---------+
> /\
> / \
> / \
> / \
> / \
> / \
> / \
> / \
> +-----------+ +-----------+
> | Server CA | | Client CA |
> +-----------+ +-----------+
> I expected that I could simply use the client CA certificate as
> $PGDATA/root.crt, but this does not work; I get an "unknown ca" error.
Maybe I'm missing something, but I don't see why you'd expect a
different result. That leaves you with no way to validate the server's
own certificate.
I think it might work to put both the server CA and client CA certs
(but not the root CA cert) into the server's root.crt.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ian Pilcher | 2013-03-07 14:37:06 | Re: Trust intermediate CA for client certificates |
| Previous Message | Kevin Grittner | 2013-03-07 14:23:32 | Re: Why does slony use a cursor? Anyone know? |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ian Pilcher | 2013-03-07 14:37:06 | Re: Trust intermediate CA for client certificates |
| Previous Message | Andres Freund | 2013-03-07 12:59:20 | Re: Performance Improvement by reducing WAL for Update Operation |