Re: Correction of intermediate certificate handling

On Mon, Jan 15, 2018 at 07:22:38PM -0500, Bruce Momjian wrote:
> I asked Stephen Frost and David Steele for details on the arcane art of
> SSL certificate creation. They showed me scripts they use and explained
> that they properly pass intermediate certificates to clients. The trick
> was to use the v3_ca extension when creating root and intermediate
> certificates.
>
> My talk documents this behavior. In this talk:
>
> https://momjian.us/main/writings/pgsql/tls.pdf
>
> slide 47 and 49 use -extensions v3_ca. Slides 73 and 74 show that the
> intermediate is not needed on the client if it is created with v3_ca and
> exist on the server. Slide 75 shows that the server certificate must be
> first in server.crt.
>
> I have created the attached doc patch to add this information to our
> docs. I would like to backpatch this since what we have now, while it
> works, is inaccurate.

I have spent some time looking at your patch, this gets a +1 from here.

This bit is important. I am happy that your patch mentions that
intermediate certificates avoid the need to store root ones on the
client. Should the docs mention terms like "chain of trust"?

Perhaps the docs could also include an example of command to create a
root and an intermediate certificate in runtime.sgml or such?

On top of that, src/test/ssl does not provide any kind of coverage for
that. It would be an area of improvement for those tests.
--
Michael