Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Trust intermediate CA for client certificates
Date
Msg-id 21703.1386017058@sss.pgh.pa.us
Whole thread Raw
In response to Re: Trust intermediate CA for client certificates  (Bruce Momjian <bruce@momjian.us>)
Responses Re: Trust intermediate CA for client certificates
Re: Trust intermediate CA for client certificates
List pgsql-hackers
Bruce Momjian <bruce@momjian.us> writes:
> Yes, this was my understanding.  Let me ask a simple question --- can
> you put only the client cert on the client (postgresql.crt) and only the
> root cert on the server (root.crt), and will it work?

Yes, that's surely always worked.

> I think Tom's question is whether OpenSSL will read through all the
> entries in root.crt and find the one that signed the remote cert, and
> has it always done that, i.e. does the remote side have to provide the
> upper-level cert to match against.

My point is specifically that it didn't seem to work when the client cert
file includes an intermediate CA cert, but not a full path to a trusted
root cert.  (Note that anything in the server's root.crt file is a trusted
root cert so far as the server is concerned --- it doesn't matter if it's
a child of some other CA.)

> One big thing I learned from this is that the local root.crt is only
> used to verify remote certificates;  it isn't related to how the remote
> end verifies your certificate.  Now, in most cases, the root.crt is
> identical for clients and servers, but it doesn't have to be.

Yes, we were already explaining that in the existing docs.
        regards, tom lane



pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: Extension Templates S03E11
Next
From: Bruce Momjian
Date:
Subject: Re: Trust intermediate CA for client certificates