ChoonSoo Park <luispark@xxxxxxxxx> writes: > Then I tried to test more complex thing - chained CA. > Scenario 1. Postgresql having server.crt signed by Root CA and one of > clients having postgresql.crt signed by intermediate CA. > Machine 1: Created a new intermediate CA (ra.crt) signed by root > certificate. Created a new client certificate signed by the intermediate CA. > Concatenated root CA & intermediate CA using > openssl x509 -text -in root.crt > newroot.crt > openssl x509 -text -in ra.crt >> newroot.crt Not an SSL expert, but my recollection is that the order of the certs in the file is significant, and this order is the wrong one: root cert goes last. Moreover, root.crt should basically only contain the trusted root cert. The chains of intermediate certs (plus a copy of the root cert) belong in server.crt and the client-side postgresql.cert. Not terribly good design, probably, but you'd have to take that up with the openssl folk not us. FWIW, I *have* tested chained certs, and they do work for me per the documentation; or at least did the last time I tried it about two years ago. regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
