Re: JDBC SSL with postgresql
| От | Craig Ringer |
|---|---|
| Тема | Re: JDBC SSL with postgresql |
| Дата | |
| Msg-id | 4C074292.8010208@postnewspapers.com.au обсуждение исходный текст |
| Ответ на | Re: JDBC SSL with postgresql (Jeffrey Baker <jwbaker@gmail.com>) |
| Список | pgsql-jdbc |
On 3/06/2010 11:06 AM, Jeffrey Baker wrote: > Thanks for the info. > > I have complete control of both ends, and both the server and client > are signed by my self-signed root cert. I think perhaps the problem > here is that I'm trying to tackle the entire Java SSL infrastructure > in one go; I knew nothing about it this morning. I read somewhere > that the keystore has to include both the client cert and the root > cert that signed it. Is that not true? No, it's not strictly true, but it's a good idea. However, "include" is pretty broad. When you get a reply from your certificate authority containing the signed certificate, it should include the full certificate chain in that reply. If it doesn't, you should append the CA cert and any other intermediate certs to the reply before importing it with keytool. So, when you use keytool to list your keystore, you should only see one entry (alias). The certificate part of that entry should preferably include the full certificate chain up to the CA certificate, though. Your truststore should contain only trustedCertificate aliases for the CA certs you trust to identify peers. > I've tried it both ways: > added root cert, then added client cert (this is the way it's > documented in the keytool manual page, the way I interpret it), and > only adding the client cert to the keystore. It doesn't seem to work > either way. Concatenate all certs in the chain into one file, and import that. -- Craig Ringer
В списке pgsql-jdbc по дате отправления: