Thank you for the reply Thomas. I agree with you on the mutual TLS that you mentioned.
Here is what I was looking at. The configurations at the server end will be with auth-method as md5 and auth-option as clientcert=verify-ca. In this way, the user's password along with the valid ca should allow connections to pass. Regards, Rejo On Thu, 4 Aug 2022, 03:01 Thomas Guyot, <tgu...@gmail.com> wrote: > On 2022-08-01 04:12, Rejo Oommen wrote: > > Requirement is to use only ca.crt and connect to postgres > > > > Server.crt, Server.key and ca.crt are configured at the postgres > > server for tls connection. > > > > Connection successful while using > > psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca > > sslcert=/tmp/server.crt sslkey=/tmp/server.key sslrootcert=/tmp/ca.crt > > port=5432’ > > > > For clients to connect, can they use only ca.crt and connect to the > > DB. Tried and got the below error > > > > psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca > > sslrootcert=/tmp/ca.crt port=5432’ > > psql: error: connection to server at “172.29.21.222”, port 50001 > > failed: FATAL: connection requires a valid client certificate > > > > Hi Rejo, > > I don't think you understand fully how mutual TLS auth works. For the > client to authenticate using a certificate, it needs a valid certificate > and key too, where the certificate is signed by a CA your server trusts > (usually the same CA that signed your server cert) and with a proper > subject (that bears the certificate owner's user name, the user you will > use to grant privileges in the database). You shouldn't even need to > pass a username, it will be in the certificate. > > I'm talking purely from a generic view, I'm not familiar with any of the > specifics of PostgreSQL configuration but TLS authentication requires a > secret and a CA certificate isn't secret. Your server certificate > authenticates the server, but nothing authenticates the client. > > Regards, > > -- > Thomas >
