Re: Trust intermediate CA for client certificates
| От | Bruce Momjian |
|---|---|
| Тема | Re: Trust intermediate CA for client certificates |
| Дата | |
| Msg-id | 20131203161825.GB27105@momjian.us обсуждение исходный текст |
| Ответ на | Re: Trust intermediate CA for client certificates (Andrew Dunstan <andrew@dunslane.net>) |
| Список | pgsql-hackers |
On Mon, Dec 2, 2013 at 05:35:06PM -0500, Andrew Dunstan wrote: > > On 12/02/2013 04:17 PM, Tom Lane wrote: > >Bruce Momjian <bruce@momjian.us> writes: > >>Sorry, I should have said: > >> Tom is saying that for his openssl version, a client that passed > >> an intermediate certificate had to supply a certificate _matching_ > >> something in the remote root.crt, not just signed by it. > >>At least I think that was the issue, rather than requiring the client to > >>supply a "root" certificate, meaning the client can supply an > >>intermediate or root certificicate, as long as it appears in the > >>root.crt file on the remote end. > >As far as the server is concerned, anything listed in its root.crt *is* a > >trusted root CA. Doesn't matter if it's a child of some other CA. > > > But it does need to be signed by a trusted signatory. At least in my > test script (pretty ugly, but shown below for completeness), the > Intermediate CA cert is signed with the Root cert rather than being > self-signed as the Root cert is, and so if the server doesn't have > that root cert as a trusted cert the validation fails. > > In case 1, we put the root CA cert on the server and append the > intermediate CA cert to the client's cert. This succeeds. In case 2, > we put the intermediate CA cert on the server without the root CA's > cert, and use the bare client cert. This fails. In case 3, we put > both the root and the intermediate certs in the server's root.crt, > and use the bare client key, and as expected this succeeds. > > So the idea that you can just plonk any Intermediate CA cert in > root.crt and have all keys it signs validated is not true, AFAICT. > > OpenSSL version 1.0.0j was used in these tests, on a Fedora 16 box. OK, that behavior matches the behavior Ian observed and also matches my most recent doc patch. I know Tom saw something different, but unless he can reproduce it, I am thinking my doc patch is our best solution. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. +
В списке pgsql-hackers по дате отправления: