Ian Pilcher <arequipeno@xxxxxxxxx> writes: > I am trying to configure PostgreSQL 8.4 to trust an intermediate CA for > client certificate validation -- without trusting everything signed by > the root CA (or a different intermediate CA). Given the following CA > hierarchy, for example, I would like to trust *only* client certificates > signed by the client CA. > +---------+ > | Root CA | > +---------+ > /\ > / \ > / \ > / \ > / \ > / \ > / \ > / \ > +-----------+ +-----------+ > | Server CA | | Client CA | > +-----------+ +-----------+ > I expected that I could simply use the client CA certificate as > $PGDATA/root.crt, but this does not work; I get an "unknown ca" error. Maybe I'm missing something, but I don't see why you'd expect a different result. That leaves you with no way to validate the server's own certificate. I think it might work to put both the server CA and client CA certs (but not the root CA cert) into the server's root.crt. regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
