Why Postgres 17 cert authentication fails in Windows?

Steps to reproduce:

1. Install Postgres 17.5 and OpenSsl on Windows 11

2. Run the following commands.Enter postgres as common name on client cert creation:

   openssl req -new -x509 -days 365 -nodes -out server.crt -keyout server.key
   openssl req -new -nodes -out client.csr -keyout client.key
   openssl x509 -req -in client.csr -CA server.crt -CAkey server.key -CAcreateserial -out client.crt -days 365
   

3. Copy files to server data directory:

   copy server.key "C:\Program Files\PostgreSQL\17\data"
   copy server.crt "C:\Program Files\PostgreSQL\17\data\root.crt"
   copy server.crt "C:\Program Files\PostgreSQL\17\data"
   
   

4. Add the following lines to top of pg_hba.conf:

   hostssl all postgres ::1/0 cert
   hostssl all postgres 0.0.0.0/0 cert
   

5. Add the following lines to end of postgresql.conf:

   ssl = on
   ssl_ca_file = 'root.crt'
   ssl_cert_file = 'server.crt'
   ssl_key_file = 'server.key'
   

6. Re-start postgres service

7. Run commands

   set PGSSLCERT=client.crt
   set PGSSLKEY=client.key 
   "C:\Program Files\PostgreSQL\17\bin\pg_dump" -f "test.backup" -F c -h localhost -U postgres postgres
   
   
   

Observed:

pg_dump: error: connection to server at "localhost" (::1), port 5432 failed: SSL error: tlsv1 alert unknown ca

Postgres log contains:

[unknown] ::1 [unknown] LOG: could not accept SSL connection: certificate verify failed [unknown] ::1 [unknown] DETAIL: Client certificate verification failed at depth 0: self-signed certificate. Failed certificate data (unverified): subject "...rju/L=test/O=test/CN=postgres/[email protected]", serial number 14465968192346824308, issuer "...rju/L=test/O=test/CN=postgres/[email protected]"

How to use cert authentication with pg_dump ?