diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml new file mode 100644 index 955f248..443a48e *** a/doc/src/sgml/libpq.sgml --- b/doc/src/sgml/libpq.sgml *************** ldap://ldap.acme.com/cn=dbserver,cn=host *** 7121,7127 **** To allow server certificate verification, the certificate(s) of one or more trusted CAs must be placed in the file ~/.postgresql/root.crt in the user's home ! directory. (On Microsoft Windows the file is named %APPDATA%\postgresql\root.crt.) --- 7121,7129 ---- To allow server certificate verification, the certificate(s) of one or more trusted CAs must be placed in the file ~/.postgresql/root.crt in the user's home ! directory. If intermediate CAs appear in ! root.crt, the file must also contain certificate ! chains to their root CAs. (On Microsoft Windows the file is named %APPDATA%\postgresql\root.crt.) *************** ldap://ldap.acme.com/cn=dbserver,cn=host *** 7179,7193 **** intermediate certificate authority, rather than one that is directly trusted by the server. To use such a certificate, append the certificate of the signing authority to the postgresql.crt ! file, then its parent authority's certificate, and so on up to a ! root authority that is trusted by the server. The root ! certificate should be included in every case where ! postgresql.crt contains more than one certificate. ! Note that root.crt lists the top-level CAs that are ! considered trusted for signing server certificates. In principle it need not list the CA that signed the client's certificate, though in most cases that CA would also be trusted for server certificates. --- 7181,7195 ---- intermediate certificate authority, rather than one that is directly trusted by the server. To use such a certificate, append the certificate of the signing authority to the postgresql.crt ! file, then its parent authority's certificate, and so on up to a certificate ! authority, root or intermediate, that is trusted by ! the server, i.e. signed by a certificate in the server's ! root.crt file. ! Note that the client's ~/.postgresql/root.crt lists the top-level CAs ! that are considered trusted for signing server certificates. In principle it need not list the CA that signed the client's certificate, though in most cases that CA would also be trusted for server certificates. diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml new file mode 100644 index ab51782..4916837 *** a/doc/src/sgml/runtime.sgml --- b/doc/src/sgml/runtime.sgml *************** pg_dumpall -p 5432 | psql -d postgres -p *** 1986,1995 **** intermediate certificate authority, rather than one that is directly trusted by clients. To use such a certificate, append the certificate of the signing authority to the server.crt file, ! then its parent authority's certificate, and so on up to a root ! authority that is trusted by the clients. The root certificate should ! be included in every case where server.crt contains more than ! one certificate. --- 1986,1995 ---- intermediate certificate authority, rather than one that is directly trusted by clients. To use such a certificate, append the certificate of the signing authority to the server.crt file, ! then its parent authority's certificate, and so on up to a certificate ! authority, root or intermediate, that is trusted by ! clients, i.e. signed by a certificate in the clients' ! root.crt files. *************** pg_dumpall -p 5432 | psql -d postgres -p *** 2008,2014 **** SSL connection startup. (See for a description of how to set up certificates on the client.) The server will verify that the client's certificate is signed by one of the trusted ! certificate authorities. Certificate Revocation List (CRL) entries are also checked if the parameter is set. (See for a description of how to set up certificates on the client.) The server will verify that the client's certificate is signed by one of the trusted ! certificate authorities. If intermediate CAs appear in ! root.crt, the file must also contain certificate ! chains to their root CAs. Certificate Revocation List ! (CRL) entries are also checked if the parameter is set. (See ! Note that root.crt lists the top-level CAs that are ! considered trusted for signing client certificates. In principle it need not list the CA that signed the server's certificate, though in most cases that CA would also be trusted for client certificates. --- 2029,2037 ---- ! Note that the server's root.crt lists the top-level ! CAs that are considered trusted for signing client certificates. ! In principle it need not list the CA that signed the server's certificate, though in most cases that CA would also be trusted for client certificates.