Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Trust intermediate CA for client certificates
Date
Msg-id 20131202204626.GJ5274@momjian.us
Whole thread Raw
In response to Re: Trust intermediate CA for client certificates  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
On Mon, Dec  2, 2013 at 03:07:48PM -0500, Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
> > On Mon, Dec  2, 2013 at 12:59:41PM -0500, Tom Lane wrote:
> >> I see that you removed the sentence
> >> The root
> >> certificate should be included in every case where
> >> <filename>postgresql.crt</> contains more than one certificate.
> 
> > I don't fully understand the issues but the discussion seens to indicate
> > this.  Am I missing something?  Should I run some tests?
> 
> My recollection is that if the client cert file includes *only* the
> client's own cert, the server will puzzle out how that connects to the
> certs it has.  However, if the client cert file contains more than one
> cert (ie, client's cert and some intermediate-CA cert), the server
> will *not* try to associate the intermediate cert with some root cert it
> has.  It wants the chain the client sends to terminate in a cert that it
> has listed directly in root.crt.

OK, so you are saying if the client only supplies one cert, it will try
to find a signing cert in root.crt, but if multiple certs are supplied,
you have to get a cert match (not a signing).  I can adjust the docs for
that.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + Everyone has their own god. +



pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Trust intermediate CA for client certificates
Next
From: Stephen Frost
Date:
Subject: Re: Trust intermediate CA for client certificates