Re: Trust intermediate CA for client certificates

Bruce Momjian <bruce@momjian.us> writes:
> I have updated the patch, attached, to be clearer about the requirement
> that intermediate certificates need a chain to root certificates.

I see that you removed the sentence
  The root  certificate should be included in every case where  <filename>postgresql.crt</> contains more than one
certificate.

in both places where it appeared.  I seem to remember that I'd put that
in on the basis of experimentation, ie it didn't work to provide just
a partial chain.  You appear to be telling people that it's safe to
omit the root cert, and I think this is wrong.

Specifically, rather than the text "trusted by the server, i.e. signed by
a certificate in the server's <filename>root.crt</filename> file", I think
you need to say "trusted by the server, i.e., appears in the server's
<filename>root.crt</filename> file".  Have you experimented with the
configuration you're proposing, and if so, with which OpenSSL versions?
        regards, tom lane