Re: what can go in root.crt ?

From: Chapman Flack <chap(at)anastigmatix(dot)net>
To: pgsql-hackers(at)lists(dot)postgresql(dot)org
Subject: Re: what can go in root.crt ?
Date: 2020-05-25 19:32:52
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On 05/25/20 15:15, Chapman Flack wrote:
> Does that mean it also would fail if I directly put the server's
> end-entity cert there?
> Would I have to put all three of WE ISSUE TO ORGS LIKE YOURS,
> WE ISSUE TO LOTS, and WE ISSUE TO EVERYBODY in the root.crt file
> in order for verification to succeed?
> If I did that, would the effect be any different from simply putting
> WE ISSUE TO EVERYBODY there, as before? Would it then happily accept
> a cert with a chain that ended at WE ISSUE TO EVERYBODY via some other
> path? Is there a way I can accomplish trusting only certs issued by

The client library is the PG 10 one that comes with Ubuntu 18.04
in case it matters.

I think I have just verified that I can't make it work by putting
the end entity cert there either. It is back working again with only
the WE ISSUE TO EVERYBODY cert there, but if there is a workable way
to narrow that grant of trust a teensy little bit, I would be happy
to do that.


In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Jeff Davis 2020-05-25 19:49:45 Re: Trouble with hashagg spill I/O pattern and costing
Previous Message David Fetter 2020-05-25 19:29:21 Re: Since '2001-09-09 01:46:40'::timestamp microseconds are lost when extracting epoch