This patch attempts to note the use of the root.crt file in the server.
Given that PostgreSQL will output a message complaining about it's
absence if you're using SSL mode, I feel it's important that it gets a
mention in the documentation at some point.
-Dom
Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql-server/doc/src/sgml/runtime.sgml,v
retrieving revision 1.281
diff -u -r1.281 runtime.sgml
--- doc/src/sgml/runtime.sgml 17 Sep 2004 22:40:46 -0000 1.281
+++ doc/src/sgml/runtime.sgml 22 Sep 2004 06:45:13 -0000
@@ -4353,6 +4353,24 @@
to turn the certificate into a self-signed certificate and to copy the
key and certificate to where the server will look for them.
</para>
+
+ <para>
+ If verification of client certificates is required, place the
+ certificates of the <acronym>CA</acronym> you wish to check for in
+ the file <filename>root.crt</filename> in the data directory. When
+ present, a client certificate will be requested from the client
+ making the connection and it must have been signed by one of the
+ certificates present in <filename>root.crt</filename>. If no
+ certificate is presented, the connection will be allowed to proceed
+ anway.
+ </para>
+
+ <para>
+ The <filename>root.crt</filename> file is always checked for, and
+ its absence will be noted through a message in the log. This is
+ merely an informative message that client certificates will not be
+ requested.
+ </para>
</sect1>
<sect1 id="ssh-tunnels">
---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend
