Skip site navigation (1) Skip section navigation (2)

Re: JDBC SSL with postgresql

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: Jeffrey Baker <jwbaker(at)gmail(dot)com>
Cc: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: JDBC SSL with postgresql
Date: 2010-06-03 05:50:10
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-jdbc
On 3/06/2010 11:06 AM, Jeffrey Baker wrote:

> Thanks for the info.
> I have complete control of both ends, and both the server and client
> are signed by my self-signed root cert.  I think perhaps the problem
> here is that I'm trying to tackle the entire Java SSL infrastructure
> in one go; I knew nothing about it this morning.  I read somewhere
> that the keystore has to include both the client cert and the root
> cert that signed it.  Is that not true?

No, it's not strictly true, but it's a good idea. However, "include" is 
pretty broad.

When you get a reply from your certificate authority containing the 
signed certificate, it should include the full certificate chain in that 
reply. If it doesn't, you should append the CA cert and any other 
intermediate certs to the reply before importing it with keytool.

So, when you use keytool to list your keystore, you should only see one 
entry (alias). The certificate part of that entry should preferably 
include the full certificate chain up to the CA certificate, though.

Your truststore should contain only trustedCertificate aliases for the 
CA certs you trust to identify peers.

>  I've tried it both ways:
> added root cert, then added client cert (this is the way it's
> documented in the keytool manual page, the way I interpret it), and
> only adding the client cert to the keystore.  It doesn't seem to work
> either way.

Concatenate all certs in the chain into one file, and import that.

Craig Ringer

In response to

pgsql-jdbc by date

Next:From: Craig RingerDate: 2010-06-03 05:52:26
Subject: Re: jdbc works in java app, fails in servlet: "no suitable jdbc found"
Previous:From: Manohar BhattaraiDate: 2010-06-03 04:15:51
Subject: Re: jdbc works in java app, fails in servlet: "no suitable jdbc found"

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group