[pgjdbc/pgjdbc] issue #3795: pkcs12 export miss cert-chain

pgjdbc/pgjdbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

From: takeseem (@takeseem) <[email protected]>
To: pgjdbc/pgjdbc <[email protected]>
Subject: [pgjdbc/pgjdbc] issue #3795: pkcs12 export miss cert-chain
Date: Fri, 12 Sep 2025 05:15:41 +0000
Message-ID: <[email protected]> (raw)

**CA env**

```
├── root
│   ├── root.crt
│   ├── root.csr
│   ├── root.key
│   └── root.srl
├── inter-server
│   ├── inter-server.crt
│   ├── inter-server.csr
│   ├── inter-server-full.crt
│   ├── inter-server.key
│   └── inter-server.srl
├── inter-client
│   ├── inter-client.crt
│   ├── inter-client.csr
│   ├── inter-client-full.crt
│   ├── inter-client.key
│   └── inter-client.srl
├── pg
│   ├── clients
│   │   └── dev
│   │       ├── dev.crt
│   │       ├── dev.csr
│   │       ├── dev-full.crt
│   │       ├── dev.key
│   │       ├── dev.p12
│   │       ├── dev.pk8
│   │       └── dev.txt
│   ├── pg.crt
│   ├── pg.csr
│   ├── pg-full.crt
│   └── pg.key
```

**Describe the issue**

**ssl mode: `verify-full`**
 - CA = root.crt, client: dev-full.crt, dev.key is ok.
 - CA = root.crt, client: dev-full.crt, dev.pk8 is ok.

[jdbc.postgresql.org doc](https://jdbc.postgresql.org/documentation/use/#connection-parameters):
`openssl pkcs12 -export -in $< -inkey $*.key -out $@ -name user -CAfile $(SERVER_CRT_DIR)root.crt -caname local -passout pass:$(P12_PASSWORD)`
 - it will FATAL, because it's not  cert chain in `.p12`.
 - CA = root.crt, client: dev-full.crt, dev.pk12  `FATAL: connection requires a valid client certificate`
```
openssl pkcs12 -export -in pg/clients/dev/dev.crt -inkey pg/clients/dev/dev.key \
  -out pg/clients/dev/dev.p12 -name user -CAfile root/root.crt -caname inter-client \
  -passout pass:$P12_PASSWORD
```

FIX：openssl add **cert chain**: `-certfile inter-client/inter-client.crt`
 - CA = root.crt, client: dev-full.crt, dev.pk12  is ok.
```
openssl pkcs12 -export -in pg/clients/dev/dev.crt -inkey pg/clients/dev/dev.key \
  -out pg/clients/dev/dev.p12 -name user -CAfile root/root.crt -caname inter-client \
  -passout pass:$P12_PASSWORD \
  -certfile inter-client/inter-client.crt
```

**Suggest**  add arg `-certfile` into `openssl pkcs12 -export ...`
- https://github.com/pgjdbc/pgjdbc/blob/549576cbc2618c3cb5014bccc15e798b207693cd/certdir/Makefile#L21
- https://github.com/pgjdbc/pgjdbc/blob/549576cbc2618c3cb5014bccc15e798b207693cd/docs/content/document...

**about `-name user`**
- [jdbc.postgresql.org use doc](https://jdbc.postgresql.org/documentation/use/#connection-parameters) not say why, it can link to [ssl doc](https://jdbc.postgresql.org/documentation/ssl/#configuring-the-client) or mv the `NOTE` from `ssl` page to `use` page.
```
NOTE
When using a PKCS-12 client certificate the name or alias MUST be **user**
 when using openssl pkcs12 -export **-name user** ... 
There are complete examples of how to export the certificate in the [certdir](https://raw.githubusercontent.com/pgjdbc/pgjdbc/master/certdir/Makefile) Makefile
```

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: github://pgjdbc/pgjdbc
  Cc: [email protected], [email protected]
  Subject: Re: [pgjdbc/pgjdbc] issue #3795: pkcs12 export miss cert-chain
  In-Reply-To: <<[email protected]>>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox