Re: SSL certificates issue

Asia <asia123321(at)op(dot)pl> Wednesday 07 of September 2011 16:00:39
> > I personally haven't tired SSL for PostgreSQL but, I think, You should
> > put in root.crt only intermediate certificate (C1 - from prev post), so
> > all and only all "sub-certs" of intermediate CA will be able to
> > establish connection (paranoic security).
> >
> > Putting intermediate CAs as trusted in Java keystore may be solution,
> > but I'm not sure if in situation of cert invalidation, such cert will be
> > rejected.
> >
> > If you want to write SSL Factory, you should re-implement KeyManager
> > only, to give ability of extended search.
> >
> > Regards,
> > Radek
>
> I have already tried with only C1 in root.crt but unfortunately it does
> not work. I get error message that cert is invalid. It seems that chained
> CA's are not supported in a way we would like to have it done. I would
> prefer to have number of trusted certs in root.crt limited as much as
> possible, but as I said it does not work.
>
> About Java, I would need to analyze the libpq code and implement KeyManager
> in a similar way - this is surely possible but not necessarily preferred
> solution ;-)
>
> Kind regards,
> Joanna
I bearly looked at Javav SSL implementation, and it should support certificate
chain, even if intermediate cert isn't presented by server (not in root.crt),
until You have valid chain in key/trust store. I found, and You may try to
turn it on, "javax.net.debug=all" to see debug info of cert matching.

Only one thing comes to me, why it doesn't works, Your intermediate cert may
have no issuer DN

Regards,
Radek