On Tue, Feb 28, 2017 at 10:50:02PM +0100, Frazer McLean wrote: > On 28 Feb 2017, at 21:51, Bruce Momjian wrote: > >I have researched this and will post a blog and and document the fix in > >the next few months. The reason you have to supply the entire > >certificate chain to the root CA on the client is because you have not > >used the "-extensions v3_ca" flag to openssl when creating the CA x509 > >request. You have to mark the certificates as CAs so they are passed > >from the server to the client. You are looking for the CA certificates > >to say: > > > > X509v3 Basic Constraints: > > CA:TRUE > > > > My `ca.cert.pem` file has > > X509v3 Basic Constraints: critical > CA:TRUE > > The `intermediate.cert.pem` has > > X509v3 Basic Constraints: critical > CA:TRUE, pathlen:0 > > This intermediate cert was generated using the `v3_intermediate_ca` > extension defined in [1]. I wouldn’t expect *not* to have to give the full > certificate chain to the client, since both were created by me. > > To summarise my problem and solution: the connection worked fine until > `ssl_crl_file` was enabled. I was trying to use a CRL generated from the > intermediate CA, assuming PostgreSQL would trust it since it knows about the > full CA chain in `ssl_ca_file`. Apparently, it must be a CRL generated from > the root concatenated to a CRL generated from the intermediate, and then it > works.
Oh, OK, that is beyond my understanding. Thanks. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription + -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
