Re: Openssl v3_ca

Greetings,

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> A few years ago I figured out how to create intermediate certificates
> that are transferred across OpenSSL connections by using the v3_ca
> extension, and added this to the PG documentation.
>
> I have now just figured out that v3_ca is just a heading in the openssl
> configuration file, e.g., /etc/ssl/openssl.cnf, and that it is
> specifically this line that enables this to work:
>
> basicConstraints = critical,CA:true

Yes, v3_ca refers to a stanza in the default openssl config.

> I have created the attached documentation patch to clarify exactly what
> is needed, in case non-openssl tools are used.

> diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
> index c8698898f3..f705c4fec1 100644
> --- a/doc/src/sgml/runtime.sgml
> +++ b/doc/src/sgml/runtime.sgml
> @@ -2194,7 +2194,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
> can also be appended to the file. Doing this avoids the necessity of
> storing intermediate certificates on clients, assuming the root and
> intermediate certificates were created with <literal>v3_ca</literal>

All CAs need to have CA:TRUE set on them, root and intermediate, so the
above isn't really correct..

> - extensions. This allows easier expiration of intermediate certificates.
> + extensions (which sets <literal>CA:TRUE</literal> on certificates).

Probably better would be to specifically say "This sets 'ca' to 'true'
for the basic constraints of the certificate." or similar language.
Simply saying "CA:TRUE" doesn't seem to really be an improvement over
just referencing the v3_ca stanza.

> + This allows easier expiration of intermediate certificates.

While true, there's certainly other reasons why someone might want to
run intermediate CAs.. I'm not sure that we really need to go into the
discussion about why they make sense to have.

Thanks,

Stephen