Thread: more on makecert and pgkeygen

more on makecert and pgkeygen

From
Bear Giles
Date:
I've been giving some more thought to the makecert (server)
and pgkeygen (client) programs, and may have a clean solution
to the problem of mapping certs to pgusers.

1) makecert will have the ability to generate two different types  of certs: root (CA) certs and server certs.  The
servercerts  are signed by the root cert and server certs can be fully  verified by adding the root cert to the user's
~/.postgresql directory.
 
  This tool would be run once soon after installation.

2) pgkeygen will create basic self-signed certs.  These certs  must be signed by the DBA before they're usable.
  This tool would be run once by each user.

3) an third tool (signcert?) is used to sign the user certs with  the root cert created by makecert.  This allows the
backend to require client certs be signed by a trusted CA... and to  trust the pguser string within them.  Clients
couldstill use  SSL without client certs, but it couldn't be used for   authentication.
 
  This tool would take two arguments - the client's self-signed  (or previously signed) cert and a pguser string.  The
cert would be modified to include an altSubjName extension that  identifies the pguser (e.g., "postgresql: pguser") and
then  signed.
 
  This tool would be run as-needed by the DBA, and would be  required to support SSL-based authentication.  

There are other issues with CRLs, renewals, etc., but they can
be pushed off for a while.

Bear