Hi,
I was trying to set up PostgreSQL to use a certificate revocation list
so I could revoke client certificates, but was unable to get it to work.
I was following [this tutorial][1] to create root and intermediate CA
certificates, then producing certificates for the PostgreSQL server and
client.
I have created a [Dockerfile][2] which shows the problem. The short
story is that with the CRL I’ve created in PEM format, a client
certificate is rejected with error “psql: SSL error: tlsv1 alert
unknown ca”. If I don’t set ssl_crl_file, the client certificate is
accepted.
I tested on 9.4-9.6. I tried to find examples about using ssl_crl_file
but wasn’t able to find anything. I found [this message][3] from 2014
without any replies.
[1]:
https://jamielinux.com/docs/openssl-certificate-authority/index.html
[2]: https://github.com/RazerM/postgres_crl_test
[3]: https://postgrespro.com/list/thread-id/1163456
Kind regards,
Frazer McLean
