To perform PostgreSQL certificate validation, you must configure PostgreSQL to start in SSL mode and create or move several files in the server’s data directory as indicated in the procedure below. Instructions for the server configuration are also available on the postgresql.org website.
-
Move or create files containing the server certificate and private key in the server data directory. By default, these files are named server.crt and server.key. Additionally, the server references verified certificates included in the trusted root certificate file root.crt and revoked root certificate file root.crl:
File
Description
ssl_cert_file($PGDATA/server.crt)
The server certificate sent to the client to identify the server.
ssl_key_file($PGDATA/server.key)
The server private key that verifies server certificates sent by the owner of the key
ssl_ca_file ($PGDATA/root.crt)
The public certificate of the certificate authority that signed the client certificate which is used to verify that the client certificate can be trusted.
ssl_crl_file ($PGDATA/root.crl)
The certificates revoked by certificate authorities list, which the server checks to deny access when client certificates are in this list.
-
Set the permissions on server.key to disallow any access to world or group by typing the following command at the command prompt
chmod 0600 server.key
and pressing enter.
-
Using a text editor, open Postgresql.conf for editing, change the SSL parameter value to ON, save the file, and close the editor.
-
Restart PostgreSQL server to implement the configuration change by typing the following command at the command prompt
/etc/init.d/postgresql-9.0 restart
and pressing enter.
-
If the restart fails, enable the server to read the server key file by taking ownership of the server.key file by typing the following command at the command prompt
chown postgres server.key
and pressing enter.