>
> I think problem is as follows, server sends to client certificates it
> can accept (as accepted parents), without intermediate CA, Java sees
> only top-level cert and tries to find client cert issued directly by
> top-level CA, I may only assume, that without intermediate CA you will
> be able to auth against any cert signed by top-level CA (this may cause
> small security hole as well).
>
> I think this is not needed, but I suggest You too check cert "policies"
> with v3 extensions.
>
> Java is really pedantic, about security.
>
> Regards,
> Radek
>
The problem is that I believe that this configuration could be better but I cannot put part
of CA chain in root.crt as it was advised.
For Java it all depends on current SSL Factory implementation, I was using the default one.
If I wrote my own implementation I would probably be able to have common with libpq,
requiring the least info, configuration (but actually I would prefer to avoid it).
Kind regards,
Joanna