Re: SSL client crt verification

"Knut P Lehre" <k(dot)p(dot)lehre(at)world-online(dot)no> writes:

> Server: 7.4.8 on Red Hat EL4. Client psql 8.0.3 on WinXP. Using a
> test server.crt and server.key, as described in 8.0 docs 16.8, I can
> activate SSL encryption (WinXP 8.0.3 psql reports "SSL Connection"
> at connect), and as expected, the server log reports that root.crt
> is not found. If I copy server.crt to root.crt and start up server
> again, the missing root.crt message disappears. But I can still
> connect with psql with no postgresql.crt on client (docs
> 27.13). Apparently, the root.crt, which in this case is a copy of
> server.crt, is not interpreted as a CA crt, but how does the server
> know? Isn't a CA cert just a self signed crt? Why is there not a
> warning that client authentication will not take place, when it
> apparently does not? Does the server only check that a root.crt file
> is present, and not that is contains valid information?

You really need a separate root CA cert and server key. The server
key should be signed by the root CA, which is self-signed. The root
CA private key should be kept secure somewhere else--the database
server doesn't need access to it.

I just went though the whole exercise of creating a CA and setting up
an app for client cert authentication, so I am reasonably sure the
above is your problem.

For client auth to work, you need:

* Root CA certificate available to both client and server
* Server cert signed by root CA, with CN=server hostname
* Client cert signed by root CA, available to client to present to
server.

-Doug