From bff0d5d0bb295824a0c7136903f07cabfe1d8668 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Mon, 15 Jun 2026 08:14:56 +0200
Subject: [PATCH v2 3/8] Load full certificate chain for alternate certificate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use SSL_CTX_use_certificate_chain_file() instead of
SSL_CTX_use_certificate_file() for the alternate certificate, matching
how the primary certificate is loaded.  This ensures that intermediate
CA certificates included in the PEM file are loaded as the chain for
the alternate certificate.

Author: Renaud Métrich <rmetrich@redhat.com>
---
 src/backend/libpq/be-secure-openssl.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index bfbce535ac8..fa9f551e22a 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -802,8 +802,7 @@ init_host_context(HostsLine *host, bool isServerStart)
 	}
 	if (ssl_alt_cert_file[0] && ssl_alt_key_file[0])
 	{
-		if (SSL_CTX_use_certificate_file(ctx, ssl_alt_cert_file,
-										 SSL_FILETYPE_PEM) != 1)
+		if (SSL_CTX_use_certificate_chain_file(ctx, ssl_alt_cert_file) != 1)
 		{
 			ereport(isServerStart ? FATAL : LOG,
 					(errcode(ERRCODE_CONFIG_FILE_ERROR),
-- 
2.52.0