On 5/25/20 3:32 PM, Chapman Flack wrote: > On 05/25/20 15:15, Chapman Flack wrote: >> Does that mean it also would fail if I directly put the server's >> end-entity cert there? >> >> Would I have to put all three of WE ISSUE TO ORGS LIKE YOURS, >> WE ISSUE TO LOTS, and WE ISSUE TO EVERYBODY in the root.crt file >> in order for verification to succeed? >> >> If I did that, would the effect be any different from simply putting >> WE ISSUE TO EVERYBODY there, as before? Would it then happily accept >> a cert with a chain that ended at WE ISSUE TO EVERYBODY via some other >> path? Is there a way I can accomplish trusting only certs issued by >> WE ISSUE TO ORGS LIKE YOURS? > The client library is the PG 10 one that comes with Ubuntu 18.04 > in case it matters. > > I think I have just verified that I can't make it work by putting > the end entity cert there either. It is back working again with only > the WE ISSUE TO EVERYBODY cert there, but if there is a workable way > to narrow that grant of trust a teensy little bit, I would be happy > to do that. >
The trouble is I think you have it the wrong way round. It makes sense to give less trust to a non-root CA than to one of its up-chain authorities, e.g. only trust it for certain domains, or for a lesser period of time. But it doesn't seem to make much sense to trust the up-chain CA less, since it is what you should base your trust of the lower CA on. cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services