I am trying to configure PostgreSQL 8.4 to trust an intermediate CA for
client certificate validation -- without trusting everything signed by
the root CA (or a different intermediate CA). Given the following CA
hierarchy, for example, I would like to trust *only* client certificates
signed by the client CA.
+---------+
| Root CA |
+---------+
/\
/ \
/ \
/ \
/ \
/ \
/ \
/ \
+-----------+ +-----------+
| Server CA | | Client CA |
+-----------+ +-----------+
I expected that I could simply use the client CA certificate as
$PGDATA/root.crt, but this does not work; I get an "unknown ca" error.
AFAICT, there is absolutely no way to make PostgreSQL trust a CA that is
not a self-signed root CA.
I can connect successfully if I add the root CA certificate to the
root.crt file, but would effectively trust any certificate signed by
the root CA or any of its subsidiaries, something that I absolutely do
not want.
Am I missing something?
(And yes I have read the documentation, several times over. It talks
about adding the intermediate CA certificate(s) to the certificate chain
presented by the client, so that the server can complete the chain
between the client certificate and the trusted root CA. The use case
described above is not discussed, even though it's pretty fundamental to
the PKI trust model.)
Thanks!
--
========================================================================
Ian Pilcher arequipeno@xxxxxxxxx
Sometimes there's nothing left to do but crash and burn...or die trying.
========================================================================
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
