# Create a Certificate Signing Request umask u=rw,go= && openssl req -new -text -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/emailAddress=example@example.com/CN=example-postgres-host.com' -keyout server.key -out server.csr # Generate self-signed certificate umask u=rw,go= && openssl req -x509 -text -in server.csr -key server.key -out server.crt # Also make the server certificate to be the root-CA certificate umask u=rw,go= && cp server.crt root.crt # Remove the now-redundant CSR rm server.csr # Generate client certificates to be used by clients/connections # Create a Certificate Signing Request umask u=rw,go= && openssl req -new -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/emailAddress=example@example.com/CN=example' -keyout client.key -out client.csr # Create a signed certificate for the client using our root certificate. umask u=rw,go= && openssl x509 -req -CAcreateserial -in client.csr -CA root.crt -CAkey server.key -out client.crt # Remove the now-redundant CSR rm client.csr
I use them to create self-signed certificates for my Postgres installations.
For the purposes of Postgres connections, you need to replace CN=example with CN=actual-database-user-name in the command titled 'Create a signed certificate for the client'. Then place the server.* and root.* files in the Postgres' data directory. Place the client.* and root.crt files on the client machine and use the following format to connect, say psql utility, to the database:
PGSSLMODE=verify-ca PGSSLCERT=client.crt PGSSLKEY=client.key PGSSLROOTCERT=root.crt psql -h postgres-server.com -p 5432 -U postgres -d postgres
Of course, you also need ssl = on in your postgresql.conf file.
No comments:
Post a Comment