Bruce Momjian <bruce@momjian.us> writes:
> I have updated the patch, attached, to be clearer about the requirement
> that intermediate certificates need a chain to root certificates.
I see that you removed the sentence
The root certificate should be included in every case where <filename>postgresql.crt</> contains more than one
certificate.
in both places where it appeared. I seem to remember that I'd put that
in on the basis of experimentation, ie it didn't work to provide just
a partial chain. You appear to be telling people that it's safe to
omit the root cert, and I think this is wrong.
Specifically, rather than the text "trusted by the server, i.e. signed by
a certificate in the server's <filename>root.crt</filename> file", I think
you need to say "trusted by the server, i.e., appears in the server's
<filename>root.crt</filename> file". Have you experimented with the
configuration you're proposing, and if so, with which OpenSSL versions?
regards, tom lane