Generování klientského certifikátu pro PostgreSQL

Ahoj,

rychlodotaz. Zkousim ruzne navody na generovani overeni uzivatele pres klientske certifikaty do postgresql pres openssl.

Funkcni: https://docs.devart.com/studio-for-postgresql/connecting-to-db/generating-ssl-certificate.html

tzn, vygenerovani server.crt a jeho pouziti jako root.crt, klient vygenerovany proti server crt

Nefunkcni: pridani intermediate certifikatu
1]
vygenerovani root.crt
vygenerovani root.crt -> intermediate.crt
vygenerovani root.crt -> intermediate.crt -> server.crt
vygenerovani root.crt -> intermediate.crt -> client.crt

chyba:
Kód: [Vybrat]
2024-12-05 12:12:09.574 CET [145340] [unknown]@[unknown] LOG:  could not accept SSL connection: certificate verify failed
2024-12-05 12:12:09.574 CET [145340] [unknown]@[unknown] DETAIL:  Client certificate verification failed at depth 1: unable to get issuer certificate.
Failed certificate data (unverified): subject "/CN=IntermediateA1A", serial number 309702439278542523809315669172409373896084017275, issuer "/CN=RootA1".

2]
vygenerovani root.crt
vygenerovani root.crt -> intermediate.crt
vygenerovani root.crt -> intermediate.crt -> server.crt
vygenerovani root.crt -> client.crt

chyba:
Kód: [Vybrat]
2024-12-05 12:03:35.322 CET [144691] [unknown]@[unknown] LOG:  could not accept SSL connection: certificate verify failed
2024-12-05 12:03:35.322 CET [144691] [unknown]@[unknown] DETAIL:  Client certificate verification failed at depth 1: self-signed certificate in certificate chain.
Failed certificate data (unverified): subject "/CN=RootA1", serial number 600670979593537536306603896096514133306975213284, issuer "/CN=RootA1".

root.crt obsahuje jen root crt, server.crt obsahuje server+intermediate crt, client.crt obsahuje client + intermediate crt.
Vuci cemu se tedy ma generovat client.crt, aby to postgresql vzal?

Diky



Re:Generovani klientskeho certifikatu pro postgre
« Odpověď #2 kdy: Dnes v 13:13:00 »
Dal jsem si obed a pak omylem prekliknul a misto zobrazeni crt jsem si zobrazil konfiguraci hosta, hned jsem zahledl chybu. No, z preskakovani mezi testovanim bodu 1] a 2]  byl spatny parametr - ssl_ca_file = server.crt, misto aby tam byl root.crt.

Vyreseno, varianta 1] je tim funkcni.