Good Day I'm trying to setup SSL auth. creating CA: openssl genrsa -out our.key 2048 openssl req -new -key our.key -out our.req openssl req -x509 -in our.req -text -key our.key -out root.crt then I copy root.crt on postgresql host and to client host in ~/.postgresql generating another key on server: openssl genrsa -out server.key 2048 then request for signing to CA: openssl req -new -key server.key -out server.req signing on CA: openssl req -x509 -in server.req -text -key our.key -out server.crt now in postgresql data dir following files: server.crt server.key root.crt and blank root.crl on client host: cd ~/.postgresql openssl genrsa -out postgresql.key 2048 then signing with our.key on CA and placing postgresql.crt, root.crt to ~/.postgresql This is my picture of what is happening: 1. we using our CA public key to generate root.crt: root_signature = ca_pub_key**ca_priv_key % n 2. on postgres server creating key-pair and signing public key on CA, receiving server_signature (server.crt): server_signature = server_pub_key**root_priv_key % n Client using server_signature before encrypting and sending message to server: server_pub_key = server_signature**root_pub_key % n if server_pub_key is valid then user encrypting message with server_pub_key. 3. Client generating his own key-pair and asking our CA to sign his public key. client_signature = client_pub_key**ca_priv_key % n client_signature he writing to postgresql.crt, which server using when sending something to client: client_pub_key = client_signature**root_pub_key % n If everything is correct, than why psql complaining: psql "dbname=me sslmode=require host=postgres_server user=me" psql: SSL error: certificate verify failed log on postgres_server: postgres[98462]: [3-1] LOG: could not accept SSL connection: tlsv1 alert unknown ca P.S. postgres-8.2 on freebsd postgresql-client-8.2 on debian
