Thank you for your reply. I agree that this configuration could be better and this is why I sent my post. There is still one concern remaining. As I said I have working configuration with libpq and jdbc. For jdbc I created keystore, that is properly used with connection ssl=on parameter and clientcert=1 in og_hba.conf, everything works fine. The issue is why for libpq it is enough to have only one lowest level root certificate matched besides the fact that certificate postgresql.crt that is presented to server contains actually 3 certs (2 from Intermediate authority with lowest level root). For JDBC it was not enough, I had to put whole CA chain to be able to create succesfull connection. It seems lipqg does not support chained CA's. I need to confirm that this is working as designed (I will be able to adjust my solution depending on the answer). Thank you. Kind regards, Joanna W dniu 2011-08-22 15:37:28 użytkownik Tom Lane <tgl@xxxxxxxxxxxxx> napisał: > Asia <asia123321@xxxxx> writes: > > Now the issue is then when using libpq it was enough to have only root certificate in server's root.crt and it worked fine. > > But when I tried using the same with JDBC it turned out that I need to put whole chain (2 certs) of Intermediate CA 1 in server's root.crt. > > This is poor configuration, because every certificate listed in root.crt > is considered fully trusted for every purpose. It's best to keep only > top-level root certs in root.crt. Instead, put the full chain of > certificates into the client's postgresql.crt, as per the manual: > > : In some cases, the client certificate might be signed by an > : "intermediate" certificate authority, rather than one that is directly > : trusted by the server. To use such a certificate, append the certificate > : of the signing authority to the postgresql.crt file, then its parent > : authority's certificate, and so on up to a "root" authority that is > : trusted by the server. The root certificate should be included in every > : case where postgresql.crt contains more than one certificate. > > In the JDBC case you'd need to put all those certs into the client's > keystore, which I'm afraid I don't know the details of doing. Possibly > somebody on pgsql-jdbc could help you with that. > > regards, tom lane > -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general