I've been giving some more thought to the makecert (server)
and pgkeygen (client) programs, and may have a clean solution
to the problem of mapping certs to pgusers.
1) makecert will have the ability to generate two different types of certs: root (CA) certs and server certs. The
servercerts are signed by the root cert and server certs can be fully verified by adding the root cert to the user's
~/.postgresql directory.
This tool would be run once soon after installation.
2) pgkeygen will create basic self-signed certs. These certs must be signed by the DBA before they're usable.
This tool would be run once by each user.
3) an third tool (signcert?) is used to sign the user certs with the root cert created by makecert. This allows the
backend to require client certs be signed by a trusted CA... and to trust the pguser string within them. Clients
couldstill use SSL without client certs, but it couldn't be used for authentication.
This tool would take two arguments - the client's self-signed (or previously signed) cert and a pguser string. The
cert would be modified to include an altSubjName extension that identifies the pguser (e.g., "postgresql: pguser") and
then signed.
This tool would be run as-needed by the DBA, and would be required to support SSL-based authentication.
There are other issues with CRLs, renewals, etc., but they can
be pushed off for a while.
Bear
