Participants
Sahagian, David
Sahagian, David
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1Sahagian, DavidSahagian, David
Dec 19, 2012
#2Tom LaneTom Laneto Sahagian, David (#1)
Dec 20, 2012

cannot load server.crt

Started by Sahagian, Davidover 13 years ago2 messagesgeneral
Jump to latest
#1Sahagian, David
Sahagian, David
david.sahagian@emc.com

9.1.3 on Linux . . .

We use our own CA implementation inside Java to generate a PEM-encoded certificate chain (server.crt) and key (server.key).

The certificates are, as they should be, base-64 encoded and surrounded by the appropriate delimiters such as
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

They are also line-wrapped at 77 characters.
But the line wrapping code can cause an extra newline char following the final base-64 encoded character of the cert or key, and before the -----END CERTIFICATE----- delimiter.

When this happens, Postgres rejects the certificate.

-----BEGIN CERTIFICATE-----
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
. . .
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah

-----END CERTIFICATE-----

Although these formats are imprecisely defined, we think Postgres should accept such a certificate since both Java keytool and Windows certificate management accept the certificate as valid.

Is this a bug in OpenSSL and/or Postgres ?

-dvs-

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Sahagian, David (#1)
Re: cannot load server.crt

"Sahagian, David" <david.sahagian@emc.com> writes:

We use our own CA implementation inside Java to generate a PEM-encoded certificate chain (server.crt) and key (server.key).

The certificates are, as they should be, base-64 encoded and surrounded by the appropriate delimiters such as
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

They are also line-wrapped at 77 characters.

But the line wrapping code can cause an extra newline char following the final base-64 encoded character of the cert or key, and before the -----END CERTIFICATE----- delimiter.

When this happens, Postgres rejects the certificate.

That would be OpenSSL rejecting the cert; Postgres never touches such
files directly. I don't know whether there's an official spec about
the contents of cert files, but you'd have to take it up with the
OpenSSL folk if you want to lobby for a change in this behavior.

regards, tom lane

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

← Back to Topics