Home > mailing lists

Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From	Bruce Momjian
Subject	Re: Trust intermediate CA for client certificates
Date	December 3, 2013 00:03:00
Msg-id	20131202210249.GL5274@momjian.us Whole thread Raw
In response to	Re: Trust intermediate CA for client certificates (Andrew Dunstan <andrew@dunslane.net>)
Responses	Re: Trust intermediate CA for client certificates
List	pgsql-hackers

Tree view

On Mon, Dec  2, 2013 at 03:57:45PM -0500, Andrew Dunstan wrote:
> 
> On 12/02/2013 03:44 PM, Tom Lane wrote:
> >Bruce Momjian <bruce@momjian.us> writes:
> >>Let me ask a simple question --- can
> >>you put only the client cert on the client (postgresql.crt) and only the
> >>root cert on the server (root.crt), and will it work?
> >Yes, that's surely always worked.
> 
> Not if the client has been signed by an intermediate CA, surely.
> Either the server must have the intermediate CA cert in its root.crt
> or the client must supply it along with the end cert.

Right.  Tom is saying that for his openssl version, he had to have the
client supply a certificate _matching_ something in the remote root.crt,
not just signed by it.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + Everyone has their own god. +

pgsql-hackers by date:

From: Bruce Momjian
Date: 03 December 2013, 00:01:01
Subject: Re: Trust intermediate CA for client certificates

From: Stephen Frost
Date: 03 December 2013, 00:04:02
Subject: Re: Trust intermediate CA for client certificates

Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

Previous

Next