Writing new private key to data]$ chmod og-rwx data]$ openssl x509 -req \ Let’s create the certificate with the new root data]$ openssl req -new -nodes -text \ We use this path when we sign the data]$ openssl x509 -req -in root.csr \
We have seen that it is not always in the same place – so make sure you are using the right data]$ find / -name openssl.cnf \ To do that with OpenSSL, we first have to find out where openssl.cnf can be found. However, to create a server certificate whose identity and origin can be validated by clients, first create a certificate signing request and a public/private key data]$ openssl req -new -nodes -text \Īgain, we have to make sure that those permissions are exactly the way they should be: data]$ chmod og-rwx root.key If those permissions are too relaxed, the server will not accept the certificate: data]$ chmod og-rwx server.key Next we have to set permissions to ensure the certificate can be used.
This certificate will be valid for 365 days. Here is how it data]$ openssl req -new -x509 -days 365 \ However, it is of course also possible with other certificates are. In order to keep things simple, we will simply create self-signed certificates here. The next thing you have to do is to create certificates. Then restart the database instance to make sure SSL is enabled. # "local" is for Unix domain socket connections only In the next step we have to adjust pg_hba.conf to ensure that PostgreSQL will handle our connections in a secure way: We just reloaded to show the effect on the variable. Technically, pg_reload_conf() is not needed at this stage. The SHOW command is an easy way to make sure that the setting has indeed been changed. This is an important point causing problems quite frequently for some users: However, you will still need a restart otherwise PostgreSQL will not accept SSL connections. The variable can be set with a plain reload. Please note that turning SSL on does not require a database restart. The remaining parameters define the location of key files, the strength of the ciphers and so on. Once ssl = on, the server will negotiate SSL connections in case they are possible. #ssl_passphrase_command_supports_reload = off #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
There are a couple of parameters which are related to encryption: ssl = on The first thing we have to do to set up OpenSSL is to change nf. This posting will help you to set up SSL authentication for PostgreSQL properly, and hopefully also to understand some background information to make your database more secure.Īt the end of this post, you should be able to configure PostgreSQL and handle secure client server connections in the easiest way possible. It makes sense, then, to consider SSL to encrypt the connection between client and server. PostgreSQL is a secure database and we want to keep it that way. The subsequent sections discuss each parameter in detail.Encryption openssl postgres postgresql ssl
In the first section of this chapter we describe how to interact with configuration parameters. There are many configuration parameters that affect the behavior of the database system. Version and Platform Compatibility 20.13.1. Query and Index Statistics Collector 20.9.2. Managing Configuration File Contents 20.2. Parameter Interaction via the Shell 20.1.5. Parameter Interaction via the Configuration File 20.1.3.