Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Trust intermediate CA for client certificates
Date
Msg-id 20131202211217.GM5274@momjian.us
Whole thread Raw
In response to Re: Trust intermediate CA for client certificates  (Stephen Frost <sfrost@snowman.net>)
Responses Re: Trust intermediate CA for client certificates
Re: Trust intermediate CA for client certificates
List pgsql-hackers
On Mon, Dec  2, 2013 at 04:12:13PM -0500, Stephen Frost wrote:
> * Bruce Momjian (bruce@momjian.us) wrote:
> > On Mon, Dec  2, 2013 at 03:57:45PM -0500, Andrew Dunstan wrote:
> > > 
> > > On 12/02/2013 03:44 PM, Tom Lane wrote:
> > > >Bruce Momjian <bruce@momjian.us> writes:
> > > >>Let me ask a simple question --- can
> > > >>you put only the client cert on the client (postgresql.crt) and only the
> > > >>root cert on the server (root.crt), and will it work?
> > > >Yes, that's surely always worked.
> > > 
> > > Not if the client has been signed by an intermediate CA, surely.
> > > Either the server must have the intermediate CA cert in its root.crt
> > > or the client must supply it along with the end cert.
> > 
> > Right.  Tom is saying that for his openssl version, he had to have the
> > client supply a certificate _matching_ something in the remote root.crt,
> > not just signed by it.
> 
> Err, no..  That's not right.
> 
> The client certificate needs to be *signed* by the root certificate, or
> by an intermediate which is signed by the root and is available to the
> server for verification.
> 
> The client certificate does *not* need to exist in the root.crt...

Sorry, I should have said:
Tom is saying that for his openssl version, a client that passedan intermediate certificate had to supply a certificate
_matching_somethingin the remote root.crt, not just signed by it.
 

At least I think that was the issue, rather than requiring the client to
supply a "root" certificate, meaning the client can supply an
intermediate or root certificicate, as long as it appears in the
root.crt file on the remote end.  

Once I fully understand this I can post a proposed doc change.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + Everyone has their own god. +



pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: Trust intermediate CA for client certificates
Next
From: Stephen Frost
Date:
Subject: Re: Extension Templates S03E11