Re: Trust intermediate CA for client certificates

On Mon, Dec 2, 2013 at 04:17:57PM -0500, Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > Sorry, I should have said:
>
> > Tom is saying that for his openssl version, a client that passed
> > an intermediate certificate had to supply a certificate _matching_
> > something in the remote root.crt, not just signed by it.
>
> > At least I think that was the issue, rather than requiring the client to
> > supply a "root" certificate, meaning the client can supply an
> > intermediate or root certificicate, as long as it appears in the
> > root.crt file on the remote end.
>
> As far as the server is concerned, anything listed in its root.crt *is* a
> trusted root CA. Doesn't matter if it's a child of some other CA.

Uh, the original poster complained that he couldn't put _just_ an
intermediate certificate in root.crt and have it work:

http://www.postgresql.org/message-id/kh90q0$tv8$1@ger.gmane.org

I expected that I could simply use the client CA certificate as
$PGDATA/root.crt, but this does not work; I get an "unknown ca" error.
AFAICT, there is absolutely no way to make PostgreSQL trust a CA that is
not a self-signed root CA.

I am confused.

> The issue is that the client's cert has to be linked to some element of
> root.crt somehow. In principle you'd think that if the client provides
> an intermediate CA cert, the server should be able to match that to
> whichever root.crt member signed it, but that wasn't what I saw
> happening. It'd be good for someone who uses SSL more than I do to
> replicate the experiment, though. It's not impossible that I screwed up.

Agreed. Anyone? I can try, but I am a novice.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ Everyone has their own god. +