| From: | ChoonSoo Park <luispark(at)gmail(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: How to setup chained CA? |
| Date: | 2012-10-31 14:31:01 |
| Message-ID: | CACgbiFsD_SdphQzG-R5=0JzzJ71fmXssVTBTJsNrHWE91JA_tg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hello Tom,
Per your recommendation, I tried to append reverse order of certs.
1. On postgresql server side
1) create a self-signed root certificate
2) create an intermediate cert signed by root certificate
3) create a server.crt signed by the intermediate cert
4) append the intermediate cert to server.crt
5) append the root cert to server.crt
6) start up postgresql server
2. On postgresql client side
1) copy the self signed root.crt from postgresql server
2) create a postgresql.crt signed by root.crt
3) tried to connect to the postgresql server using psql
4) STILL FAILED with same error.
I tried "server.crt signed by root.crt and postgresql.crt signed by the
intermediate cert and appending intermediate certs and root.crt to
postgresql.crt". This didn't work either.
Anything wrong or missing in these steps?
Thank you,
Choon Park
On Tue, Oct 30, 2012 at 7:09 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> ChoonSoo Park <luispark(at)gmail(dot)com> writes:
> > Then I tried to test more complex thing - chained CA.
>
> > Scenario 1. Postgresql having server.crt signed by Root CA and one of
> > clients having postgresql.crt signed by intermediate CA.
>
> > Machine 1: Created a new intermediate CA (ra.crt) signed by root
> > certificate. Created a new client certificate signed by the intermediate
> CA.
> > Concatenated root CA & intermediate CA using
> > openssl x509 -text -in root.crt > newroot.crt
> > openssl x509 -text -in ra.crt >> newroot.crt
>
> Not an SSL expert, but my recollection is that the order of the certs in
> the file is significant, and this order is the wrong one: root cert goes
> last. Moreover, root.crt should basically only contain the trusted root
> cert. The chains of intermediate certs (plus a copy of the root cert)
> belong in server.crt and the client-side postgresql.cert. Not terribly
> good design, probably, but you'd have to take that up with the openssl
> folk not us.
>
> FWIW, I *have* tested chained certs, and they do work for me per the
> documentation; or at least did the last time I tried it about two years
> ago.
>
> regards, tom lane
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alexander Gataric | 2012-10-31 15:22:29 | Boolean type storage format |
| Previous Message | Jürgen Fuchsberger | 2012-10-31 14:24:27 | Corrupt Incrementally Updated Backup: missing pg_clog file |