Re: SSL certificates issue - Mailing list pgsql-general

From Tom Lane
Subject Re: SSL certificates issue
Date
Msg-id 2862.1314020248@sss.pgh.pa.us
Whole thread Raw
In response to SSL certificates issue  (Asia <asia123321@op.pl>)
Responses Re: SSL certificates issue  (Giuseppe Sacco <giuseppe@eppesuigoccas.homedns.org>)
List pgsql-general
Asia <asia123321@op.pl> writes:
> Now the issue is then when using libpq it was enough to have only root certificate in server's root.crt and it worked
fine.
> But when I tried using the same with JDBC it turned out that I need to put whole chain (2 certs) of Intermediate CA 1
inserver's root.crt. 

This is poor configuration, because every certificate listed in root.crt
is considered fully trusted for every purpose.  It's best to keep only
top-level root certs in root.crt.  Instead, put the full chain of
certificates into the client's postgresql.crt, as per the manual:

: In some cases, the client certificate might be signed by an
: "intermediate" certificate authority, rather than one that is directly
: trusted by the server. To use such a certificate, append the certificate
: of the signing authority to the postgresql.crt file, then its parent
: authority's certificate, and so on up to a "root" authority that is
: trusted by the server. The root certificate should be included in every
: case where postgresql.crt contains more than one certificate.

In the JDBC case you'd need to put all those certs into the client's
keystore, which I'm afraid I don't know the details of doing.  Possibly
somebody on pgsql-jdbc could help you with that.

            regards, tom lane

pgsql-general by date:

Previous
From: alexondi
Date:
Subject: pg_controldata return wrong version
Next
From: Adrian Klaver
Date:
Subject: Re: pg_controldata return wrong version