Here's a problem I and some others have been wrestling with. The problem was presented by a PostgreSQL Experts client. If you want to play along, here are the test files I have been using. Included is a root Certificate Authority certificate, an Intermedfiate Certificate Authority certificate signed by the root CA, a server certificate and key and two client certificates and associated keys, and a revocation certificate which revokes the second client certificate. The server certificate, client certificates and revocation certificate are all signed by the Intermediate CA. The client certificates are for a user named "andrew"
Our test platform is PostgreSQL 9.1 built with openssl, and a config setting of 'ssl = on', a user and database both named "andrew" and the following pg_hba.conf line:
hostssl all all 127.0.0.1/32 cert
All the binaries are under $INSTALL and so is the data directory.
To install the server certificates (but not the CRL just yet) we do:
Anyone who can shed some light on what's going on here would earn at least some gratitude from me. I don't think I'm doing anything wrong, but I could certainly be missing something. This looks like a nasty bug, but I'm not sure if it's a bug in Postgres or in OpenSSL.
Have you tried concatenating the root crt and the crl together as well as providing the lone crl file?<br />
I seemed to remember reading something very similiar quite some time ago where that was required but not obvious.<br />
No problem. And we now have a solution <img src="/andrew/templates/default/img/emoticons/smile.png" alt=":-)" style="display: inline; vertical-align: bottom;" class="emoticon" /> (needed the CRL file to contain a CRL for the root CA).
Usually when CRL verification is turned on it means that you need to have a valid CRL for all the CA's in the cert chain. Can you generate the CRL for the root CA and append it to the crl file? I believe that this CRL is needed even if no certificate is revoked by the root CA.<br />