Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From Andrew Dunstan
Subject Re: Trust intermediate CA for client certificates
Date
Msg-id 529CFA6A.2070608@dunslane.net
Whole thread Raw
In response to Re: Trust intermediate CA for client certificates  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
On 12/02/2013 04:17 PM, Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
>> Sorry, I should have said:
>>     Tom is saying that for his openssl version, a client that passed
>>     an intermediate certificate had to supply a certificate _matching_
>>     something in the remote root.crt, not just signed by it.
>> At least I think that was the issue, rather than requiring the client to
>> supply a "root" certificate, meaning the client can supply an
>> intermediate or root certificicate, as long as it appears in the
>> root.crt file on the remote end.
> As far as the server is concerned, anything listed in its root.crt *is* a
> trusted root CA.  Doesn't matter if it's a child of some other CA.
>
> The issue is that the client's cert has to be linked to some element of
> root.crt somehow.  In principle you'd think that if the client provides
> an intermediate CA cert, the server should be able to match that to
> whichever root.crt member signed it, but that wasn't what I saw
> happening.  It'd be good for someone who uses SSL more than I do to
> replicate the experiment, though.  It's not impossible that I screwed up.
>

I have a test script I developed when I had some difficulties with 
intermediate CAs a while back. I'll see if I can clean it up and test 
this out.

cheers

andrew





pgsql-hackers by date:

Previous
From: Ian Pilcher
Date:
Subject: Re: Trust intermediate CA for client certificates
Next
From: Stephen Frost
Date:
Subject: Re: Trust intermediate CA for client certificates