Re: what can go in root.crt ? - Mailing list pgsql-hackers

From Laurenz Albe
Subject Re: what can go in root.crt ?
Date
Msg-id 74fc462353764d11d807976825eb091ef8f6e0f1.camel@cybertec.at
Whole thread Raw
In response to what can go in root.crt ?  (Chapman Flack <chap@anastigmatix.net>)
Responses Re: what can go in root.crt ?
Re: what can go in root.crt ?
List pgsql-hackers
On Mon, 2020-05-25 at 15:15 -0400, Chapman Flack wrote:
> Certificates I get at $work come four layers deep:
> 
> 
> Self-signed CA cert from "WE ISSUE TO EVERYBODY.COM"
> 
>   Intermediate from "WE ISSUE TO LOTS OF FOLKS.COM"
> 
>     Intermediate from "WE ISSUE TO ORGS LIKE YOURS.COM"
> 
>       End-entity cert for my server.
> 
> 
> And that got me thinking: do I really want WE ISSUE TO EVERYBODY
> to be what I'm calling trusted in root.crt?

I don't know if there is a way to get this to work, but the
fundamental problem seems that you have got the system wrong.

If you don't trust WE ISSUE TO EVERYBODY, then you shouldn't use
it as a certification authority.

Yours,
Laurenz Albe




pgsql-hackers by date:

Previous
From: Chapman Flack
Date:
Subject: Re: what can go in root.crt ?
Next
From: Amit Khandekar
Date:
Subject: Re: Inlining of couple of functions in pl_exec.c improves performance