We have been confused by the behavior of intermediate certificates in
Postgres for many years. Some people put the intermediate certificates
only on the server and they were supplied to the client, while other
people couldn't get that to work. In our documentation we recommended
storing intermediate certificates on the client and server.
As part of research for my security talks:
https://momjian.us/main/presentations/security.html
I asked Stephen Frost and David Steele for details on the arcane art of
SSL certificate creation. They showed me scripts they use and explained
that they properly pass intermediate certificates to clients. The trick
was to use the v3_ca extension when creating root and intermediate
certificates.
My talk documents this behavior. In this talk:
https://momjian.us/main/writings/pgsql/tls.pdf
slide 47 and 49 use -extensions v3_ca. Slides 73 and 74 show that the
intermediate is not needed on the client if it is created with v3_ca and
exist on the server. Slide 75 shows that the server certificate must be
first in server.crt.
I have created the attached doc patch to add this information to our
docs. I would like to backpatch this since what we have now, while it
works, is inaccurate.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +