| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Frazer McLean <frazer(at)frazermclean(dot)co(dot)uk> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Configuring ssl_crl_file |
| Date: | 2017-02-28 20:51:04 |
| Message-ID: | 20170228205104.GE20113@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Mon, Feb 27, 2017 at 12:11:47AM +0100, Frazer McLean wrote:
> I found a solution to the problem, which I’l send here to help those who
> find the original email via search.
>
> The intermediate CRL file must be concatenated to CRL files going back to
> the root CA.
I have researched this and will post a blog and and document the fix in
the next few months. The reason you have to supply the entire
certificate chain to the root CA on the client is because you have not
used the "-extensions v3_ca" flag to openssl when creating the CA x509
request. You have to mark the certificates as CAs so they are passed
from the server to the client. You are looking for the CA certificates
to say:
X509v3 Basic Constraints:
CA:TRUE
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Frazer McLean | 2017-02-28 21:50:02 | Re: Configuring ssl_crl_file |
| Previous Message | Scott Marlowe | 2017-02-28 19:50:35 | Re: Re: GMT FATAL: remaining connection slots are reserved for non-replication superuser connections, but I'm using pgBouncer for connection pooling |