Clever Geek Handbook

Psql client certificate chain

I am trying to set up a PostgreSQL dg server using ssl. Or more specifically, I have successfully configured the server and the ssl is working ... no intermediate certificates yet. It doesn't work if there is an intermediate certificate.

Background / Setting:

  • I have a root CA.cert

    .
  • I used CA to sign intermediate.csr

    and created intermediate.cert

    .
  • I used middle.cert for signature postgres.csr

    and creation postgres.cert

    .
  • On the server were installed CA.cert

    , postgres.key

    and postgres.cert

    .
  • CA.cert

    was installed as a trusted certificate.
  • postgresql.conf

    has been modified to point to the above files.
  • I used a intermediate.cert

    for signature client_0.csr

    and created client_0.cert

    .
  • I used CA.cert

    to sign client_1.csr

    and created client_1.cert

    .
  • I am creating a client chain.cert

    :cat client_0.cert intermediate.cert > chain.cert

Correct extensions have been used, both certificate clients have their common name set to (username) of the connected db.

Entertainment , aka Problem.

psql "sslmode=require hostname=(host) db=(db) sslcert=client_1.cert sslkey=client_1.key" -U (username)

: Big success!

psql "sslmode=require hostname=(host) db=(db) sslcert=client_0.cert sslkey=client_0.key" -U (username)

: alert unknown ca

. client_0.cert

Not expected to be signed CA.cert

.

psql "sslmode=require hostname=(host) db=(db) sslcert=chain.cert sslkey=client_0.key" -U (username)

: alert unknown ca

. Oh. In the meantime, there is no need to know about it. ”

Confusion

Documentation for connecting to postgresql instance with included and intermediate ssl certificates:

In some cases, a client certificate may be signed by an "intermediate" CA, rather than one directly trusted by the server. To use such a certificate, add the signing authority certificate for the postgresql.crt file, then its parent certificate, etc. to the "root" or "intermediate" certificate, which is trusted by the server, i.e. signed with a certificate in the server's root.crt file. https://www.postgresql.org/docs/9.6/static/libpq-ssl.html

I also tried the whole chain, client inter ca > chain

without doing anything.

Question

What did I do wrong here?

Thank,

+3


source to share


No one has answered this question yet

Check out similar questions:



More articles:


All Articles