Skip site navigation (1) Skip section navigation (2)

File format for SSL CRL file

From: Greg Smith <greg(at)2ndquadrant(dot)com>
To: pgsql-docs(at)postgresql(dot)org
Subject: File format for SSL CRL file
Date: 2012-07-03 00:30:07
Message-ID: 4FF23D0F.80403@2ndquadrant.com (view raw or flat)
Thread:
Lists: pgsql-docspgsql-hackers
A documentation comment came in recently about ssl-tcp.html not 
specifying what format is expected for the CRL file.  Seems like 
something that could be described better now that I look at it, so I'm 
passing that along with just wording edits from me; this is from user 
"oneironautics":

The root.crl needs to be in PEM (and not DER) format.  If a certificate 
file exists but is the wrong type, you will be told it cannot find the 
file when it exists, with this sort of error in the log:

LOG:  SSL certificate revocation list file "root.crl" not found, 
skipping: no SSL error reported
DETAIL:  Certificates will not be checked against revocation list.

This error can be reported even though you have a root.crl file in 
$PGDATA along with the private key and server/root certificates.  A 
quick check using openssl revealed that the unused CRL file in this 
example was indeed in DER format.  Converting the certificate to the PEM 
format rectified the error:

cd $PGDATA
openssl crl -inform der -in root.crl -outform pem -out root-new.crl
mv root-new.crl root.crl

Responses

pgsql-docs by date

Next:From: Alvaro HerreraDate: 2012-07-03 02:44:00
Subject: Re: File format for SSL CRL file
Previous:From: Peter EisentrautDate: 2012-06-30 20:52:58
Subject: Re: outdated legal notice in SGML docs?

pgsql-hackers by date

Next:From: Greg SmithDate: 2012-07-03 00:51:14
Subject: Oracle porting sample instr function
Previous:From: Tom LaneDate: 2012-07-03 00:12:33
Subject: Re: Patch: add conversion from pg_wchar to multibyte

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group