> > I personally haven't tired SSL for PostgreSQL but, I think, You should > put in root.crt only intermediate certificate (C1 - from prev post), so > all and only all "sub-certs" of intermediate CA will be able to > establish connection (paranoic security). > > Putting intermediate CAs as trusted in Java keystore may be solution, > but I'm not sure if in situation of cert invalidation, such cert will be > rejected. > > If you want to write SSL Factory, you should re-implement KeyManager > only, to give ability of extended search. > > Regards, > Radek > I have already tried with only C1 in root.crt but unfortunately it does not work. I get error message that cert is invalid. It seems that chained CA's are not supported in a way we would like to have it done. I would prefer to have number of trusted certs in root.crt limited as much as possible, but as I said it does not work. About Java, I would need to analyze the libpq code and implement KeyManager in a similar way - this is surely possible but not necessarily preferred solution ;-) Kind regards, Joanna -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general