Re: Trust intermediate CA for client certificates

On Mon, Dec 2, 2013 at 03:44:18PM -0500, Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > Yes, this was my understanding. Let me ask a simple question --- can
> > you put only the client cert on the client (postgresql.crt) and only the
> > root cert on the server (root.crt), and will it work?
>
> Yes, that's surely always worked.
>
> > I think Tom's question is whether OpenSSL will read through all the
> > entries in root.crt and find the one that signed the remote cert, and
> > has it always done that, i.e. does the remote side have to provide the
> > upper-level cert to match against.
>
> My point is specifically that it didn't seem to work when the client cert
> file includes an intermediate CA cert, but not a full path to a trusted
> root cert. (Note that anything in the server's root.crt file is a trusted
> root cert so far as the server is concerned --- it doesn't matter if it's
> a child of some other CA.)

OK, so you are really saying that a multi-cert client has to supply a
chain right up to the root as the server will not walk the chain for you
up to the root, at least for some versions of openssl --- kind of makes
sense. The email tester seems to have a version that does, but as you
stated, all versions might not. Because you said that all root.crt CAs
are treated as trusted, can you just match an intermediate CA that
appears in root.crt? Do you really need to match the a root CA or just
one in root.crt?

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ Everyone has their own god. +