On Mon, Dec 2, 2013 at 03:01:25PM -0500, Andrew Dunstan wrote:
> >I don't fully understand the issues but the discussion seens to indicate
> >this. Am I missing something? Should I run some tests?
> >
>
> AIUI, you need a complete chain from one end to the other. So the
> cert being checked can include the intermediate cert in what it
> sends, or it can be in the root.crt at the other end, but one way or
> another, the checking end needs a complete chain from a root cert to
> the cert from the other end.
Yes, this was my understanding. Let me ask a simple question --- can
you put only the client cert on the client (postgresql.crt) and only the
root cert on the server (root.crt), and will it work?
I think Tom's question is whether OpenSSL will read through all the
entries in root.crt and find the one that signed the remote cert, and
has it always done that, i.e. does the remote side have to provide the
upper-level cert to match against.
One big thing I learned from this is that the local root.crt is only
used to verify remote certificates; it isn't related to how the remote
end verifies your certificate. Now, in most cases, the root.crt is
identical for clients and servers, but it doesn't have to be.
Put another way, I thought you put the root cert in your local root.crt
and the local cert in postgresql.crt or server.crt, but in fact the
requirement is that the local certificate chain to root must be in the
remote root.crt.
Of course, I might be wrong, but I am trying to clarify this for our
users.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ Everyone has their own god. +
