| From: | Isaac Morland <isaac(dot)morland(at)gmail(dot)com> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
| Cc: | Chapman Flack <chap(at)anastigmatix(dot)net>, Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: what can go in root.crt ? |
| Date: | 2020-05-26 04:12:18 |
| Message-ID: | CAMsGm5dSem5OuYohUBWceJTqO4Add=R8czoNC6_f2JJLd5jo9Q@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, 26 May 2020 at 00:08, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
wrote:
> On 2020-May-25, Chapman Flack wrote:
>
> > If the libpq root.crt file can be made to work similarly to a
> > Java trustStore, that expands the possible solution space.
>
> If I understand you correctly, you want a file in which you drop any of
> these intermediate CA's cert in, causing the server to trust a cert
> emitted by that CA -- regardless of that CA being actually root.
>
I think he wants only certificates signed by the specific intermediate
certificate to be trusted.
I just had an idea: would it work to create a self-signed root certificate,
put it in root.crt, and then use it to sign the intermediate certificate?
You can't use other people's certificates to sign your certificates, and
it's not usual to sign other people's intermediate certificates, but as far
as I can tell there is no reason you can't.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chapman Flack | 2020-05-26 04:31:34 | Re: what can go in root.crt ? |
| Previous Message | Alvaro Herrera | 2020-05-26 04:07:50 | Re: what can go in root.crt ? |