Message-ID: From: "takeseem (@takeseem)" To: "pgjdbc/pgjdbc" Date: Fri, 12 Sep 2025 05:15:41 +0000 Subject: [pgjdbc/pgjdbc] issue #3795: pkcs12 export miss cert-chain List-Id: X-GitHub-Author-Id: 4768523 X-GitHub-Author-Login: takeseem X-GitHub-Issue: 3795 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-State: open X-GitHub-Type: issue X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/issues/3795 Content-Type: text/plain; charset=utf-8 **CA env** ``` ├── root │ ├── root.crt │ ├── root.csr │ ├── root.key │ └── root.srl ├── inter-server │ ├── inter-server.crt │ ├── inter-server.csr │ ├── inter-server-full.crt │ ├── inter-server.key │ └── inter-server.srl ├── inter-client │ ├── inter-client.crt │ ├── inter-client.csr │ ├── inter-client-full.crt │ ├── inter-client.key │ └── inter-client.srl ├── pg │ ├── clients │ │ └── dev │ │ ├── dev.crt │ │ ├── dev.csr │ │ ├── dev-full.crt │ │ ├── dev.key │ │ ├── dev.p12 │ │ ├── dev.pk8 │ │ └── dev.txt │ ├── pg.crt │ ├── pg.csr │ ├── pg-full.crt │ └── pg.key ``` **Describe the issue** **ssl mode: `verify-full`** - CA = root.crt, client: dev-full.crt, dev.key is ok. - CA = root.crt, client: dev-full.crt, dev.pk8 is ok. [jdbc.postgresql.org doc](https://jdbc.postgresql.org/documentation/use/#connection-parameters): `openssl pkcs12 -export -in $< -inkey $*.key -out $@ -name user -CAfile $(SERVER_CRT_DIR)root.crt -caname local -passout pass:$(P12_PASSWORD)` - it will FATAL, because it's not cert chain in `.p12`. - CA = root.crt, client: dev-full.crt, dev.pk12 `FATAL: connection requires a valid client certificate` ``` openssl pkcs12 -export -in pg/clients/dev/dev.crt -inkey pg/clients/dev/dev.key \ -out pg/clients/dev/dev.p12 -name user -CAfile root/root.crt -caname inter-client \ -passout pass:$P12_PASSWORD ``` FIX:openssl add **cert chain**: `-certfile inter-client/inter-client.crt` - CA = root.crt, client: dev-full.crt, dev.pk12 is ok. ``` openssl pkcs12 -export -in pg/clients/dev/dev.crt -inkey pg/clients/dev/dev.key \ -out pg/clients/dev/dev.p12 -name user -CAfile root/root.crt -caname inter-client \ -passout pass:$P12_PASSWORD \ -certfile inter-client/inter-client.crt ``` **Suggest** add arg `-certfile` into `openssl pkcs12 -export ...` - https://github.com/pgjdbc/pgjdbc/blob/549576cbc2618c3cb5014bccc15e798b207693cd/certdir/Makefile#L21 - https://github.com/pgjdbc/pgjdbc/blob/549576cbc2618c3cb5014bccc15e798b207693cd/docs/content/documentation/use.md?plain=1#L137 **about `-name user`** - [jdbc.postgresql.org use doc](https://jdbc.postgresql.org/documentation/use/#connection-parameters) not say why, it can link to [ssl doc](https://jdbc.postgresql.org/documentation/ssl/#configuring-the-client) or mv the `NOTE` from `ssl` page to `use` page. ``` NOTE When using a PKCS-12 client certificate the name or alias MUST be **user** when using openssl pkcs12 -export **-name user** ... There are complete examples of how to export the certificate in the [certdir](https://raw.githubusercontent.com/pgjdbc/pgjdbc/master/certdir/Makefile) Makefile ```