| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Asia <asia123321(at)op(dot)pl> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: SSL certificates issue |
| Date: | 2011-08-22 13:37:28 |
| Message-ID: | 2862.1314020248@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Asia <asia123321(at)op(dot)pl> writes:
> Now the issue is then when using libpq it was enough to have only root certificate in server's root.crt and it worked fine.
> But when I tried using the same with JDBC it turned out that I need to put whole chain (2 certs) of Intermediate CA 1 in server's root.crt.
This is poor configuration, because every certificate listed in root.crt
is considered fully trusted for every purpose. It's best to keep only
top-level root certs in root.crt. Instead, put the full chain of
certificates into the client's postgresql.crt, as per the manual:
: In some cases, the client certificate might be signed by an
: "intermediate" certificate authority, rather than one that is directly
: trusted by the server. To use such a certificate, append the certificate
: of the signing authority to the postgresql.crt file, then its parent
: authority's certificate, and so on up to a "root" authority that is
: trusted by the server. The root certificate should be included in every
: case where postgresql.crt contains more than one certificate.
In the JDBC case you'd need to put all those certs into the client's
keystore, which I'm afraid I don't know the details of doing. Possibly
somebody on pgsql-jdbc could help you with that.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2011-08-22 13:40:17 | Re: pg_controldata return wrong version |
| Previous Message | alexondi | 2011-08-22 12:17:47 | pg_controldata return wrong version |