On Tue, 7 Sept 2021 at 12:59, Tom Lane <t...@sss.pgh.pa.us> wrote: > > I guess what it > comes down to is whether you think that public or private certs are > likely to be the majority use-case in the long run. The shortage of > previous requests for this feature says that right now, just about > everyone is using self-signed or private-CA certs for Postgres > servers. So it would likely be a long time, if ever, before public-CA > certs become the majority use-case.
Well the main thing making public CA certs a pain is precisely tools that are a pain to configure to use public CA certs so it's a bit of a chicken and egg problem. Projects like LetsEncrypt are all about making public CA certs work easily without any additional effort. However I have a different question. Are the system certificates intended or general purpose certificates? Do they have their intended uses annotated on the certificates? Does SSL Verification have any logic deciding which certificates are appropriate for signing servers? I ask because the only authority I'm personally aware of is the web browser consortium that approves signers for web site domains. That's what web browsers need but I'm not sure those are the same authorities that are appropriate for internal services like databases. -- greg
