> > If you stick a root certificate (root.crt in ~/.postgresql) > for it to > > validate against, it will be validated against that root. > I'm not sure > > if it validates the common name of the cert though - that > would be an > > issue if you're using a global CA. If you're using a local > enterprise > > CA, that's a much smaller issue (because you yourself have total > > control over who gets certificates issued by the CA). > > But in either case, it would only be checking that the cert > had been issued by that CA, no? Unless you set up a CA that > only ever issues certificates to your PG server, someone else > with a cert from the CA could still impersonate. Or am I > mistaken about that?
Correct. But if you run your own enterprise CA, that's exactly the kind of thing you can make sure - that nobody else has a certificate from that CA. But no, it wouldn't be bad if there was a way to specify exactly which cert is used. Or at least validate the common name of it agains the hostname of the server. //Magnus ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings