Are SSL/TLS certificate Alternate Trust Paths supported? #3236
-
Hello! We've run into an interesting problem with regards to connecting to a Postgres server with TLS. We've implemented a workaround for it, but we'd like to understand the issue better in order to determine if we can potentially help improve jdbc-postgres in some way, or if we need to revisit our fix and maybe implement something different. Background: My role is as an infrastructure security engineer, so my team builds infrastructure for our org (cloud infrastructure) and it has to meet certain security requirements. The problem: We're deploying Keycloak which uses jdbc-postgres to make a connection to a postgres server, and if we configure the connection string with We're building the postgres server in Azure. For Azure Postgres servers, Microsoft issues their own root CA (warning: direct download link), and they have intermediate certs which sign the postgres server's certificate. The intermediate certs are cross-signed by both the Microsoft RSA Root CA linked above (which is not necessarily trusted everywhere) and the DigiCert G2 RSA Root CA, which is trusted pretty much globally by OS vendors. Troubleshooting steps:
So my question around alternate trust paths being supported or not comes from the fact that the DigiCert G2 RSA Root cross-signed the intermediate certificate which signed the server cert. We can definitely confirm that jdbc-postgres did not use the java cacerts system trust store file as it should have been able to build a full chain from the public key of the DigiCert G2 Root or the MS Root (since both are present in the So -- why didn't dropping the DigiCert G2 root into Additionally, is this a something that can even be fixed in jdbc-postgres, or is it a limitation in Java that requires a fix upstream? Perhaps I should open a thread upstream to confirm if Java itself supports validating alternate trust paths. Please advise. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
I presume this works with psql ? |
Beta Was this translation helpful? Give feedback.
-
There are quite a few Microsoft folks on the PostgreSQL Hackers list so they should be interested. |
Beta Was this translation helpful? Give feedback.
I presume this works with psql ?