Skip site navigation (1) Skip section navigation (2)

Re: BUG #5468: Pg doesn't send accepted root CA list toclient during SSL client cert request

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>,pgsql-bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list toclient during SSL client cert request
Date: 2010-05-26 01:23:28
Message-ID: 20100526012328.GQ21875@tamriel.snowman.net (view raw or flat)
Thread:
Lists: pgsql-bugs
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> What I meant to question is *which* file the intermediate CA certs
> go into.  It doesn't seem tremendously sensible to me to put them into
> the server.crt file, since that's intended to define exactly one cert,
> namely the one identifying the server.  On the other hand, putting them
> into the root.crt file implies that the intermediate certs are as good
> as the real root CA for trust purposes, which might not quite be the
> right thing either.

root CA's are self-signed.  intermediate CAs are not.  They typically
both go into directories/files like 'cacerts' (eg: Strongswan expects
them in the cacerts directory).  Most systems (uh, all?) will validate
all the way up to a self-signed cert- intermediate CAs are only used as
a mechanism to get to the root CA.  I don't believe there's any
confusion about intermediate CAs being accepted as root CAs just because
they're in the same file or directory.

All that being said- I don't think anyone would really complain if
intermediate CAs and root CAs were stored in different
directories/files.  That's how Windows has certificates separated out.

	Thanks,

		Stephen

In response to

Responses

pgsql-bugs by date

Next:From: Tom LaneDate: 2010-05-26 01:35:46
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
Previous:From: Tom LaneDate: 2010-05-26 00:17:18
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group