Re: Trust intermediate CA for client certificates

* Ian Pilcher (arequipeno@gmail.com) wrote:
> On 12/02/2013 03:15 PM, Stephen Frost wrote:
> > That isn't at *all* accurate.  Authorization is handled by pg_ident and
> > PG's role and grant system.  We are only using OpenSSL's trust of the
> > certificate for authentication.
>
> OK, how do I configure Postgres to only allow connections when the
> client presents a certificate signed by a particular intermediate CA?

You don't- but that's because the certificate trust chain isn't part of
the trust definition for certificates- which is a *certificate* thing
and hasn't got anything to do with PG.  It would also make CA rollover
*extremely* painful, which is why people don't do it.  You want your
intermediate CAs to have relatively short-lived times and if you start
codifying which intermediate CAs you trust, things get very ugly when
you need to bring a new intermediate CA online to replace the ageing
one and people start trying to access your service with certificates
signed off the new one.

Which certificate-based system allows you to do this?  As I mentioned
up-thread, in the certificate realm (at least in the US government..),
this is handled through CA bridges between root CAs (there is no single
'US government' root CA).
Thanks,
    Stephen