Re: Trust intermediate CA for client certificates

On Sat, Nov 30, 2013 at 12:10:19PM -0500, Bruce Momjian wrote:
> > Drat, you're quite right. I've always included the full certificate
> > chain in client certs but it's in no way required.
> >
> > I guess that pretty much means maintaining the status quo and documenting
> > it better.
>
> I have developed the attached patch to document this behavior.  My goals
> were:
>
> * clarify that a cert can match a remote intermediate or root certificate
> * clarify that the client cert must match a server root.crt
> * clarify that the server cert much match a client root.crt
> * clarify that the root certificate does not have to be specified
>   in the client or server cert as long as the remote end has the chain
>   to the root
>
> Does it meet these goals?  Is it correct?

I have updated the patch, attached, to be clearer about the requirement
that intermediate certificates need a chain to root certificates.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + Everyone has their own god. +