Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: Trust intermediate CA for client certificates
Date
Msg-id 20131202224348.GB17272@tamriel.snowman.net
Whole thread Raw
In response to Re: Trust intermediate CA for client certificates  (Andrew Dunstan <andrew@dunslane.net>)
List pgsql-hackers
* Andrew Dunstan (andrew@dunslane.net) wrote:
> But it does need to be signed by a trusted signatory. At least in my
> test script (pretty ugly, but shown below for completeness), the
> Intermediate CA cert is signed with the Root cert rather than being
> self-signed as the Root cert is, and so if the server doesn't have
> that root cert as a trusted cert the validation fails.

Ok, good, that's really how it "should" be.  As a side-note, I'd be very
curious about a self-signed intermediate cert.. :)

> In case 1, we put the root CA cert on the server and append the
> intermediate CA cert to the client's cert. This succeeds. In case 2,
> we put the intermediate CA cert on the server without the root CA's
> cert, and use the bare client cert. This fails. In case 3, we put
> both the root and the intermediate certs in the server's root.crt,
> and use the bare client key, and as expected this succeeds.

Excellent, that's really how it ought to be and I'm glad you had a
chance to test and verify it.

> So the idea that you can just plonk any Intermediate CA cert in
> root.crt and have all keys it signs validated is not true, AFAICT.

I'm afraid it may have been true once, a while back, but we fixed it.
Thanks!
    Stephen

pgsql-hackers by date:

Previous
From: Tom Dunstan
Date:
Subject: Re: Proposed feature: Selective Foreign Keys
Next
From: Piotr Marcinczyk
Date:
Subject: Re: Improve timestamp substraction to be DST-aware