Home > mailing lists

Re: [GENERAL] Configuring ssl_crl_file - Mailing list pgsql-general

From	Bruce Momjian
Subject	Re: [GENERAL] Configuring ssl_crl_file
Date	March 1, 2017 02:51:04
Msg-id	20170228205104.GE20113@momjian.us Whole thread Raw
In response to	Re: [GENERAL] Configuring ssl_crl_file ("Frazer McLean" <frazer@frazermclean.co.uk>)
Responses	Re: [GENERAL] Configuring ssl_crl_file
List	pgsql-general

Tree view

On Mon, Feb 27, 2017 at 12:11:47AM +0100, Frazer McLean wrote:
> I found a solution to the problem, which I’l send here to help those who
> find the original email via search.
>
> The intermediate CRL file must be concatenated to CRL files going back to
> the root CA.

I have researched this and will post a blog and and document the fix in
the next few months.  The reason you have to supply the entire
certificate chain to the root CA on the client is because you have not
used the "-extensions v3_ca" flag to openssl when creating the CA x509
request.  You have to mark the certificates as CAs so they are passed
from the server to the client.  You are looking for the CA certificates
to say:

    X509v3 Basic Constraints:
            CA:TRUE

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +

pgsql-general by date:

From: Scott Marlowe
Date: 01 March 2017, 01:50:35
Subject: Re: [GENERAL] Re: GMT FATAL: remaining connection slots are reservedfor non-replication superuser connections, but I'm using pgBouncer forconnection pooling

From: "Frazer McLean"
Date: 01 March 2017, 03:50:02
Subject: Re: [GENERAL] Configuring ssl_crl_file

Re: [GENERAL] Configuring ssl_crl_file - Mailing list pgsql-general

Previous

Next