Re: ssl client cert authentication

Ray Stell <stellr@cns.vt.edu> writes:
> Someone asked about ssl client cert auth recently.  I got
> this to work, but something tripped me up.

> http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html

> states (very clearly, btw) that, "To require the client to supply a
> trusted certificate, place certificates of the certificate authorities
> (CAs) you trust in the file root.crt in the data directory."  I had
> ASS-U-MEd that root.crt would go in .postgresql as it does for encryption.

> This begs the question, why two copies of the same file?

The one in ~/.postgresql is for client usage.  The one in $PGDATA is for
the server's use.  There's no reason to assume they'd be the same.

            regards, tom lane