ChoonSoo Park <luispark@gmail.com> writes:
> Then I tried to test more complex thing - chained CA.
> Scenario 1. Postgresql having server.crt signed by Root CA and one of
> clients having postgresql.crt signed by intermediate CA.
> Machine 1: Created a new intermediate CA (ra.crt) signed by root
> certificate. Created a new client certificate signed by the intermediate CA.
> Concatenated root CA & intermediate CA using
> openssl x509 -text -in root.crt > newroot.crt
> openssl x509 -text -in ra.crt >> newroot.crt
Not an SSL expert, but my recollection is that the order of the certs in
the file is significant, and this order is the wrong one: root cert goes
last. Moreover, root.crt should basically only contain the trusted root
cert. The chains of intermediate certs (plus a copy of the root cert)
belong in server.crt and the client-side postgresql.cert. Not terribly
good design, probably, but you'd have to take that up with the openssl
folk not us.
FWIW, I *have* tested chained certs, and they do work for me per the
documentation; or at least did the last time I tried it about two years
ago.
regards, tom lane
