Re: SSL certificates issue

> Asia <asia123321(at)op(dot)pl> writes:
> > Now the issue is then when using libpq it was enough to have only root certificate in server's root.crt and it worked fine.
> > But when I tried using the same with JDBC it turned out that I need to put whole chain (2 certs) of Intermediate CA 1 in server's root.crt.
>
> This is poor configuration, because every certificate listed in root.crt
> is considered fully trusted for every purpose. It's best to keep only
> top-level root certs in root.crt. Instead, put the full chain of
> certificates into the client's postgresql.crt, as per the manual:
>
> : In some cases, the client certificate might be signed by an
> : "intermediate" certificate authority, rather than one that is directly
> : trusted by the server. To use such a certificate, append the certificate
> : of the signing authority to the postgresql.crt file, then its parent
> : authority's certificate, and so on up to a "root" authority that is
> : trusted by the server. The root certificate should be included in every
> : case where postgresql.crt contains more than one certificate.
>
> In the JDBC case you'd need to put all those certs into the client's
> keystore, which I'm afraid I don't know the details of doing. Possibly
> somebody on pgsql-jdbc could help you with that.
>
> regards, tom lane
>

Hi Tom,

I have analyzed your reply thoroughly in my implementation, but unfortunately either I make something wrong with the configuration or it does not work like described in the doc.

When I put top-level CA (just to remind intermediate CA is a 2 certs chain) certificate in root.crt on client I receive following error when connecting:

SSL error: tlsv1 alert unknown ca

When I do the same on server (with original root.crt on client) I receive following error when connecting with server's root.crt containing only top level CA:

SSL error: certificate verify failed

I was not actually asking for the details ho to do it with JDBC, since I got it working with proper keystore and truststore and "clientcert=1". I was asking why jdbc works differently than libpq - it should have similar behavior (JDBC uses standard ssl implementation from Java, I did not find custom implementation from Postgres). JDBC requires clients full CA chain in server's root.crt while libpq does not. The question is why and is it right ?

Would you please let me know what possibly I am doing wrong and confirm that chained CA's are supported?

I would expect to have only one top-level CA cert in server's and client's root.crt and it was not possible to configure with 2-level intermediate CA.

Please advise.

Kind regards,
Joanna