Psql client certificate chain
I am trying to set up a PostgreSQL dg server using ssl. Or more specifically, I have successfully configured the server and the ssl is working ... no intermediate certificates yet. It doesn't work if there is an intermediate certificate.
Background / Setting:
- I have a root
CA.cert
. - I used CA to sign
intermediate.csr
and createdintermediate.cert
. - I used middle.cert for signature
postgres.csr
and creationpostgres.cert
. - On the server were installed
CA.cert
,postgres.key
andpostgres.cert
. -
CA.cert
was installed as a trusted certificate. -
postgresql.conf
has been modified to point to the above files. - I used a
intermediate.cert
for signatureclient_0.csr
and createdclient_0.cert
. - I used
CA.cert
to signclient_1.csr
and createdclient_1.cert
. - I am creating a client
chain.cert
:cat client_0.cert intermediate.cert > chain.cert
Correct extensions have been used, both certificate clients have their common name set to (username) of the connected db.
Entertainment , aka Problem.
psql "sslmode=require hostname=(host) db=(db) sslcert=client_1.cert sslkey=client_1.key" -U (username)
: Big success!
psql "sslmode=require hostname=(host) db=(db) sslcert=client_0.cert sslkey=client_0.key" -U (username)
: alert unknown ca
. client_0.cert
Not expected to be signed CA.cert
.
psql "sslmode=require hostname=(host) db=(db) sslcert=chain.cert sslkey=client_0.key" -U (username)
: alert unknown ca
. Oh. In the meantime, there is no need to know about it. β
Confusion
Documentation for connecting to postgresql instance with included and intermediate ssl certificates:
In some cases, a client certificate may be signed by an "intermediate" CA, rather than one directly trusted by the server. To use such a certificate, add the signing authority certificate for the postgresql.crt file, then its parent certificate, etc. to the "root" or "intermediate" certificate, which is trusted by the server, i.e. signed with a certificate in the server's root.crt file. https://www.postgresql.org/docs/9.6/static/libpq-ssl.html
I also tried the whole chain, client inter ca > chain
without doing anything.
Question
What did I do wrong here?
Thank,
source to share
No one has answered this question yet
Check out similar questions: