Re: Trust intermediate CA for client certificates
| От | Bruce Momjian |
|---|---|
| Тема | Re: Trust intermediate CA for client certificates |
| Дата | |
| Msg-id | 20131202204626.GJ5274@momjian.us обсуждение исходный текст |
| Ответ на | Re: Trust intermediate CA for client certificates (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
On Mon, Dec 2, 2013 at 03:07:48PM -0500, Tom Lane wrote: > Bruce Momjian <bruce@momjian.us> writes: > > On Mon, Dec 2, 2013 at 12:59:41PM -0500, Tom Lane wrote: > >> I see that you removed the sentence > >> The root > >> certificate should be included in every case where > >> <filename>postgresql.crt</> contains more than one certificate. > > > I don't fully understand the issues but the discussion seens to indicate > > this. Am I missing something? Should I run some tests? > > My recollection is that if the client cert file includes *only* the > client's own cert, the server will puzzle out how that connects to the > certs it has. However, if the client cert file contains more than one > cert (ie, client's cert and some intermediate-CA cert), the server > will *not* try to associate the intermediate cert with some root cert it > has. It wants the chain the client sends to terminate in a cert that it > has listed directly in root.crt. OK, so you are saying if the client only supplies one cert, it will try to find a signing cert in root.crt, but if multiple certs are supplied, you have to get a cert match (not a signing). I can adjust the docs for that. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. +
В списке pgsql-hackers по дате отправления: