If we're going to open this up, can we add an option to say "this key is allowed to log in to this account", SSH style?
I like the idea of using keys rather than .pgpass, but I like the ~/.ssh/authorized_keys model and don't like the "set up an entire certificate infrastructure" approach. On Thu, 19 Sep 2019 at 10:54, Thomas Berger <thomas.ber...@1und1.de> wrote: > Hi, > > currently, libpq does SSL cerificate validation only against the defined > `PGSSLROOTCERT` file. > > Is there any specific reason, why the system truststore ( at least under > unixoid systems) is not considered for the validation? > > We would like to contribute a patch to allow certificate validation > against > the system truststore. Are there any opinions against it? > > > A little bit background for this: > > Internally we sign the certificates for our systems with our own CA. The > CA > root certificates and revocation lists are distributed via puppet and/or > packages on all of our internal systems. > > Validating the certificate against this CA requires to either override the > PGSSLROOTCERT location via the environment or provide a copy of the file > for > each user that connects with libpq or libpq-like connectors. > > We would like to simplify this. > > > -- > Thomas Berger > > PostgreSQL DBA > Database Operations > > 1&1 Telecommunication SE | Ernst-Frey-Straße 10 | 76135 Karlsruhe | Germany > > >
