From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | ChoonSoo Park <luispark(at)gmail(dot)com> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: How to setup chained CA? |
Date: | 2012-10-30 23:09:59 |
Message-ID: | 23711.1351638599@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
ChoonSoo Park <luispark(at)gmail(dot)com> writes:
> Then I tried to test more complex thing - chained CA.
> Scenario 1. Postgresql having server.crt signed by Root CA and one of
> clients having postgresql.crt signed by intermediate CA.
> Machine 1: Created a new intermediate CA (ra.crt) signed by root
> certificate. Created a new client certificate signed by the intermediate CA.
> Concatenated root CA & intermediate CA using
> openssl x509 -text -in root.crt > newroot.crt
> openssl x509 -text -in ra.crt >> newroot.crt
Not an SSL expert, but my recollection is that the order of the certs in
the file is significant, and this order is the wrong one: root cert goes
last. Moreover, root.crt should basically only contain the trusted root
cert. The chains of intermediate certs (plus a copy of the root cert)
belong in server.crt and the client-side postgresql.cert. Not terribly
good design, probably, but you'd have to take that up with the openssl
folk not us.
FWIW, I *have* tested chained certs, and they do work for me per the
documentation; or at least did the last time I tried it about two years
ago.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | 高健 | 2012-10-31 08:53:07 | Why SyncOneBuffer does not called frequently? |
Previous Message | ChoonSoo Park | 2012-10-30 22:25:46 | How to setup chained CA? |