Asia <asia123321@xxxxx> writes: > Now the issue is then when using libpq it was enough to have only root certificate in server's root.crt and it worked fine. > But when I tried using the same with JDBC it turned out that I need to put whole chain (2 certs) of Intermediate CA 1 in server's root.crt. This is poor configuration, because every certificate listed in root.crt is considered fully trusted for every purpose. It's best to keep only top-level root certs in root.crt. Instead, put the full chain of certificates into the client's postgresql.crt, as per the manual: : In some cases, the client certificate might be signed by an : "intermediate" certificate authority, rather than one that is directly : trusted by the server. To use such a certificate, append the certificate : of the signing authority to the postgresql.crt file, then its parent : authority's certificate, and so on up to a "root" authority that is : trusted by the server. The root certificate should be included in every : case where postgresql.crt contains more than one certificate. In the JDBC case you'd need to put all those certs into the client's keystore, which I'm afraid I don't know the details of doing. Possibly somebody on pgsql-jdbc could help you with that. regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
