what can go in root.crt ?

From: Chapman Flack <chap(at)anastigmatix(dot)net>
To: PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: what can go in root.crt ?
Date: 2020-05-25 19:15:48
Message-ID: 5ECC1964.2040101@anastigmatix.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Certificates I get at $work come four layers deep:

Self-signed CA cert from "WE ISSUE TO EVERYBODY.COM"

Intermediate from "WE ISSUE TO LOTS OF FOLKS.COM"


End-entity cert for my server.

Until today, we had the topmost, self-signed cert in root.crt
and stuff worked. But I needed to renew, and it seems that
recently WE ISSUE TO ORGS LIKE YOURS has chosen somebody else
to sign their certs, so I have new certs for the issuers above them,
so I have to go deal with root.crt.

And that got me thinking: do I really want WE ISSUE TO EVERYBODY
to be what I'm calling trusted in root.crt?

I considered just putting the end-entity cert for my server in there,
but it's only good for a couple years, and I'd rather not have to
fuss with editing and distributing root.crt that often.

As a compromise, I tried putting the WE ISSUE TO ORGS LIKE YOURS cert there.
I think I'm willing to accept that much risk. But psql says:

psql: SSL error: certificate verify failed

I would be happy if it gave a little more detail. Is it failing
verification because the cert I put in root.crt is *not* self-signed,
and I didn't include the two issuers above it?

Does that mean it also would fail if I directly put the server's
end-entity cert there?

Would I have to put all three of WE ISSUE TO ORGS LIKE YOURS,
WE ISSUE TO LOTS, and WE ISSUE TO EVERYBODY in the root.crt file
in order for verification to succeed?

If I did that, would the effect be any different from simply putting
WE ISSUE TO EVERYBODY there, as before? Would it then happily accept
a cert with a chain that ended at WE ISSUE TO EVERYBODY via some other
path? Is there a way I can accomplish trusting only certs issued by

I never noticed how thin the docs or verify-failure messages were
on this topic until just now. Are there any options, openssl
environment variables, or the like, to get it to be a little more
forthcoming about what it expects?



Browse pgsql-hackers by date

  From Date Subject
Next Message David Fetter 2020-05-25 19:29:21 Re: Since '2001-09-09 01:46:40'::timestamp microseconds are lost when extracting epoch
Previous Message Mark Dilger 2020-05-25 19:09:52 Re: some grammar refactoring