If we provide the CRL then the CRL will be referred and the connection might not go through but the CRL takes atleast 12 hours to reflect the expired certificate.
We wanted to understand if the connection can be rejected based on the 'Expiry date' in the server certificate even without referring the CRL?
Nikhil Shetty <nikhil.dba04@gmail.com> writes: > We were using MTLS to connect to the database. We noticed that even after > server certificates expired the client was able to connect to the database.
> 1. Doesn't postgres check the expiry date of the certificate?
Postgres does not. The openssl library can. The most likely guess, on the basis of the next-to-zero details you provided, is that the connection is succeeding via some method that doesn't require the client to check the server's certificate --- for instance, a completely unencrypted connection.