TLS verification to intermediate trust anchor with psql

Miroslav Pankov <miroslav.pankov@broadcom.com>

From: Miroslav Pankov <miroslav.pankov@broadcom.com>
To: pgsql-bugs@lists.postgresql.org
Date: 2025-10-21T08:15:29Z
Lists: pgsql-bugs
Hi team.

I would like to raise that per RFC 5280 secton 6.1
<https://datatracker.ietf.org/doc/html/rfc5280#section-6.1>, TLS
verification could be established with a trust anchor which is an
intermediate CA and not the root CA in the chain. However, working with
psql CLI, sslmode=verify-ca or verify-full, I need to specify sslrootcert
to a file containing the root CA.

I think the behavior is derived from libpq and openssl. However, I would
like to raise it for a debate on the reasoning and would appreciate the PG
team position on it.

NOTE: I am aware that OS-trust works with sslrootcert=system in PG 16+.

Regards.
Miroslav