Re: SSL certificates issue

> Asia <asia123321@op.pl> writes:
> > Now the issue is then when using libpq it was enough to have only root certificate in server's root.crt and it
workedfine. 
> > But when I tried using the same with JDBC it turned out that I need to put whole chain (2 certs) of Intermediate CA
1in server's root.crt. 
>
> This is poor configuration, because every certificate listed in root.crt
> is considered fully trusted for every purpose.  It's best to keep only
> top-level root certs in root.crt.  Instead, put the full chain of
> certificates into the client's postgresql.crt, as per the manual:
>
> : In some cases, the client certificate might be signed by an
> : "intermediate" certificate authority, rather than one that is directly
> : trusted by the server. To use such a certificate, append the certificate
> : of the signing authority to the postgresql.crt file, then its parent
> : authority's certificate, and so on up to a "root" authority that is
> : trusted by the server. The root certificate should be included in every
> : case where postgresql.crt contains more than one certificate.
>
> In the JDBC case you'd need to put all those certs into the client's
> keystore, which I'm afraid I don't know the details of doing.  Possibly
> somebody on pgsql-jdbc could help you with that.
>
>             regards, tom lane
>

Hi Tom,

I have analyzed your reply thoroughly in my implementation, but unfortunately either I make something wrong with the
configurationor it does not work like described in the doc. 

When I put top-level CA (just to remind intermediate CA is a 2 certs chain) certificate in root.crt on client I receive
followingerror when connecting: 

SSL error: tlsv1 alert unknown ca

When I do the same on server (with original root.crt on client) I receive following error when connecting with server's
root.crtcontaining only top level CA: 

SSL error: certificate verify failed

I was not actually asking for the details ho to do it with JDBC, since I got it working with proper keystore and
truststoreand "clientcert=1". I was asking why jdbc works differently than libpq - it should have similar behavior
(JDBCuses standard ssl implementation from Java, I did not find custom implementation from Postgres). JDBC requires
clientsfull CA chain in server's root.crt while libpq does not. The question is why and is it right ? 

Would you please let me know what possibly I am doing wrong and confirm that chained CA's are supported?

I would expect to have only one top-level CA cert in server's and client's root.crt and it was not possible to
configurewith 2-level intermediate CA.  

Please advise.

Kind regards,
Joanna