Re: what can go in root.crt ?

On Mon, May 25, 2020 at 03:32:52PM -0400, Chapman Flack wrote:
> On 05/25/20 15:15, Chapman Flack wrote:
> > Does that mean it also would fail if I directly put the server's
> > end-entity cert there?
> >
> > Would I have to put all three of WE ISSUE TO ORGS LIKE YOURS,
> > WE ISSUE TO LOTS, and WE ISSUE TO EVERYBODY in the root.crt file
> > in order for verification to succeed?
> >
> > If I did that, would the effect be any different from simply putting
> > WE ISSUE TO EVERYBODY there, as before? Would it then happily accept
> > a cert with a chain that ended at WE ISSUE TO EVERYBODY via some other
> > path? Is there a way I can accomplish trusting only certs issued by
> > WE ISSUE TO ORGS LIKE YOURS?
>
> The client library is the PG 10 one that comes with Ubuntu 18.04
> in case it matters.
>
> I think I have just verified that I can't make it work by putting
> the end entity cert there either. It is back working again with only
> the WE ISSUE TO EVERYBODY cert there, but if there is a workable way
> to narrow that grant of trust a teensy little bit, I would be happy
> to do that.

Did you review the PG documentation about intermediate certificates?

https://www.postgresql.org/docs/13/ssl-tcp.html#SSL-CERTIFICATE-CREATION

Is there a specific question you have? I don't know how to improve the
error reporting.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +