From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
Subject: | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
Date: | 2010-05-26 01:23:28 |
Message-ID: | 20100526012328.GQ21875@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> What I meant to question is *which* file the intermediate CA certs
> go into. It doesn't seem tremendously sensible to me to put them into
> the server.crt file, since that's intended to define exactly one cert,
> namely the one identifying the server. On the other hand, putting them
> into the root.crt file implies that the intermediate certs are as good
> as the real root CA for trust purposes, which might not quite be the
> right thing either.
root CA's are self-signed. intermediate CAs are not. They typically
both go into directories/files like 'cacerts' (eg: Strongswan expects
them in the cacerts directory). Most systems (uh, all?) will validate
all the way up to a self-signed cert- intermediate CAs are only used as
a mechanism to get to the root CA. I don't believe there's any
confusion about intermediate CAs being accepted as root CAs just because
they're in the same file or directory.
All that being said- I don't think anyone would really complain if
intermediate CAs and root CAs were stored in different
directories/files. That's how Windows has certificates separated out.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2010-05-26 01:35:46 | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
Previous Message | Tom Lane | 2010-05-26 00:17:18 | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |