> Asia <asia123321@xxxxx> writes: > > Now the issue is then when using libpq it was enough to have only root certificate in server's root.crt and it worked fine. > > But when I tried using the same with JDBC it turned out that I need to put whole chain (2 certs) of Intermediate CA 1 in server's root.crt. > > This is poor configuration, because every certificate listed in root.crt > is considered fully trusted for every purpose. It's best to keep only > top-level root certs in root.crt. Instead, put the full chain of > certificates into the client's postgresql.crt, as per the manual: > > : In some cases, the client certificate might be signed by an > : "intermediate" certificate authority, rather than one that is directly > : trusted by the server. To use such a certificate, append the certificate > : of the signing authority to the postgresql.crt file, then its parent > : authority's certificate, and so on up to a "root" authority that is > : trusted by the server. The root certificate should be included in every > : case where postgresql.crt contains more than one certificate. > > In the JDBC case you'd need to put all those certs into the client's > keystore, which I'm afraid I don't know the details of doing. Possibly > somebody on pgsql-jdbc could help you with that. > > regards, tom lane > Hi Tom, I have analyzed your reply thoroughly in my implementation, but unfortunately either I make something wrong with the configuration or it does not work like described in the doc. When I put top-level CA (just to remind intermediate CA is a 2 certs chain) certificate in root.crt on client I receive following error when connecting: SSL error: tlsv1 alert unknown ca When I do the same on server (with original root.crt on client) I receive following error when connecting with server's root.crt containing only top level CA: SSL error: certificate verify failed I was not actually asking for the details ho to do it with JDBC, since I got it working with proper keystore and truststore and "clientcert=1". I was asking why jdbc works differently than libpq - it should have similar behavior (JDBC uses standard ssl implementation from Java, I did not find custom implementation from Postgres). JDBC requires clients full CA chain in server's root.crt while libpq does not. The question is why and is it right ? Would you please let me know what possibly I am doing wrong and confirm that chained CA's are supported? I would expect to have only one top-level CA cert in server's and client's root.crt and it was not possible to configure with 2-level intermediate CA. Please advise. Kind regards, Joanna -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
