May 2018
Intermediate to advanced
576 pages
30h 25m
English
For testing purposes, or for just setting up a single trusted user, you can use a self-signed certificate:
openssl genrsa 2048 > client.keyopenssl req -new -x509 -key server.key -out client.crt
On the server, set up a line in pg_hba.conf file with the hostssl method and the clientcert option set to 1:
hostssl all all 0.0.0.0/0 md5 clientcert=1
Put the client root certificate in the root.crt file in the server data directory ($PGDATA/root.crt). This file may contain multiple trusted root certificates.
If you are using a central certificate authority, you probably also have a certificate revocation list, which should be put in a root.crl file and regularly updated.
On the client, put the client's private key and certificate in ...