| From: | Greg Smith <greg(at)2ndquadrant(dot)com> |
|---|---|
| To: | pgsql-docs(at)postgresql(dot)org |
| Subject: | File format for SSL CRL file |
| Date: | 2012-07-03 00:30:07 |
| Message-ID: | 4FF23D0F.80403@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs pgsql-hackers |
A documentation comment came in recently about ssl-tcp.html not
specifying what format is expected for the CRL file. Seems like
something that could be described better now that I look at it, so I'm
passing that along with just wording edits from me; this is from user
"oneironautics":
The root.crl needs to be in PEM (and not DER) format. If a certificate
file exists but is the wrong type, you will be told it cannot find the
file when it exists, with this sort of error in the log:
LOG: SSL certificate revocation list file "root.crl" not found,
skipping: no SSL error reported
DETAIL: Certificates will not be checked against revocation list.
This error can be reported even though you have a root.crl file in
$PGDATA along with the private key and server/root certificates. A
quick check using openssl revealed that the unused CRL file in this
example was indeed in DER format. Converting the certificate to the PEM
format rectified the error:
cd $PGDATA
openssl crl -inform der -in root.crl -outform pem -out root-new.crl
mv root-new.crl root.crl
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2012-07-03 02:44:00 | Re: File format for SSL CRL file |
| Previous Message | Peter Eisentraut | 2012-06-30 20:52:58 | Re: outdated legal notice in SGML docs? |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Smith | 2012-07-03 00:51:14 | Oracle porting sample instr function |
| Previous Message | Tom Lane | 2012-07-03 00:12:33 | Re: Patch: add conversion from pg_wchar to multibyte |