> One reason might be that it doesn't give you any way not to fall back on > the system store.
To not fall back to the system store you could still provide the exact path to the CA cert file. > +1 for doing this, although I think client certs are less likely to have > been issued by a public CA. I totally agree that it's less likely. And I definitely don't want to block this patch on this feature. Especially since configuring your database server is much easier than configuring ALL the clients that ever connect to your database. However, I would like to give a use case where use public CA signed client authentication can make sense: Authenticating different nodes in a citus cluster to each other. If such nodes already have a public CA signed certificate for their hostname to attest their identity for regular clients, then you can set up client side auth on each of the nodes so that each node in the cluster can connect as any user to each of the other nodes in the cluster by authenticating with that same certificate.
