Re: [GENERAL] Configuring ssl_crl_file

On 28 Feb 2017, at 21:51, Bruce Momjian wrote:
> I have researched this and will post a blog and and document the fix
> in
> the next few months.  The reason you have to supply the entire
> certificate chain to the root CA on the client is because you have not
> used the "-extensions v3_ca" flag to openssl when creating the CA x509
> request.  You have to mark the certificates as CAs so they are passed
> from the server to the client.  You are looking for the CA
> certificates
> to say:
>
>     X509v3 Basic Constraints:
>             CA:TRUE
>

My `ca.cert.pem` file has

     X509v3 Basic Constraints: critical
         CA:TRUE

The `intermediate.cert.pem` has

     X509v3 Basic Constraints: critical
         CA:TRUE, pathlen:0

This intermediate cert was generated using the `v3_intermediate_ca`
extension defined in [1]. I wouldn’t expect *not* to have to give the
full certificate chain to the client, since both were created by me.

To summarise my problem and solution: the connection worked fine until
`ssl_crl_file` was enabled. I was trying to use a CRL generated from the
intermediate CA, assuming PostgreSQL would trust it since it knows about
the full CA chain in `ssl_ca_file`. Apparently, it must be a CRL
generated from the root concatenated to a CRL generated from the
intermediate, and then it works.

[1]:
https://github.com/RazerM/postgres_crl_test/blob/dd9ef3ac4dd74d1cdfc6403899a09d954fd9622a/intermediate-config.txt#L99

Kind regards,

Frazer McLean