On 12/16/2014 08:56 PM, harpagornis wrote:
To anyone following this thread, I would also like to point out the following, from Man 31.18.1. In verify-full mode, the cn (Common Name) attribute of the certificate is matched against the host name. If the cn attribute starts with an asterisk (*), it will be treated as a wildcard, and will match all characters except a dot (.). This means the certificate will not match subdomains. If the connection is made using an IP address instead of a host name, the IP address will be matched (without doing any DNS lookups). ----------------------------------------------------------------- So it seems that when creating self-signed certificates for use in verify-full mode, the CN is not the user id, but instead, the host name, ie. 127.0.0.1, which is what I had.
That is true for the server certificate, but for the client certificate you need the CN=username. Run through the below again:
http://www.howtoforge.com/postgresql-ssl-certificates
-- View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5831037.html Sent from the PostgreSQL - general mailing list archive at Nabble.com.
-- Adrian Klaver adrian.klaver@xxxxxxxxxxx -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
