|
18
|
1 |
http://www.howtoforge.com/postgresql-ssl-certificates
|
|
|
2 |
|
|
|
3 |
On the server, three certificates are required in the data directory. CentOS default is /var/lib/pgsql/data/:
|
|
|
4 |
root.crt (trusted root certificate)
|
|
|
5 |
server.crt (server certificate)
|
|
|
6 |
server.key (private key)
|
|
|
7 |
|
|
|
8 |
Issue commands as root.
|
|
|
9 |
|
|
|
10 |
sudo -
|
|
|
11 |
|
|
|
12 |
cd /var/lib/pgsql/data
|
|
|
13 |
|
|
|
14 |
Generate a private key (you must provide a passphrase).
|
|
|
15 |
|
|
|
16 |
openssl genrsa -des3 -out server.key 1024
|
|
|
17 |
|
|
|
18 |
Remove the passphrase.
|
|
|
19 |
|
|
|
20 |
openssl rsa -in server.key -out server.key
|
|
|
21 |
|
|
|
22 |
Set appropriate permission and owner on the private key file.
|
|
|
23 |
|
|
|
24 |
chmod 400 server.key
|
|
|
25 |
chown postgres.postgres server.key
|
|
|
26 |
|
|
|
27 |
Create the server certificate.
|
|
|
28 |
-subj is a shortcut to avoid prompting for the info.
|
|
|
29 |
-x509 produces a self signed certificate rather than a certificate request.
|
|
|
30 |
|
|
|
31 |
openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=CA/ST=British Columbia/L=Comox/O=TheBrain.ca/CN=thebrain.ca/emailAddress=info@thebrain.ca'
|
|
|
32 |
|
|
|
33 |
Since we are self-signing, we use the server certificate as the trusted root certificate.
|
|
|
34 |
|
|
|
35 |
cp server.crt root.crt
|
|
|
36 |
|
|
|
37 |
You need to edit postgresql.conf to actually activate ssl:
|
|
|
38 |
|
|
|
39 |
ssl = on
|
|
|
40 |
|
|
|
41 |
On the client, we need three files. For Windows, these files must be in %appdata%\postgresql\ directory. For Linux ~/.postgresql/ directory.
|
|
|
42 |
root.crt (trusted root certificate)
|
|
|
43 |
postgresql.crt (client certificate)
|
|
|
44 |
postgresql.key (private key)
|
|
|
45 |
|
|
|
46 |
Generate the the needed files on the server machine, and then copy them to the client. We'll generate the needed files in the /tmp/ directory.
|
|
|
47 |
|
|
|
48 |
First create the private key postgresql.key for the client machine, and remove the passphrase.
|
|
|
49 |
|
|
|
50 |
openssl genrsa -des3 -out /tmp/postgresql.key 1024
|
|
|
51 |
|
|
|
52 |
openssl rsa -in /tmp/postgresql.key -out /tmp/postgresql.key
|
|
|
53 |
|
|
|
54 |
Then create the certificate postgresql.crt. It must be signed by our trusted root (which is using the private key file on the server machine). Also, the certificate common name (CN) must be set to the database user name we'll connect as.
|
|
|
55 |
|
|
|
56 |
openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj '/C=CA/ST=British Columbia/L=Comox/O=TheBrain.ca/CN=www-data'
|
|
|
57 |
|
|
|
58 |
openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial
|
|
|
59 |
|
|
|
60 |
Copy the three files we created from the server /tmp/ directory to the client machine.
|
|
|
61 |
|
|
|
62 |
Copy the trusted root certificate root.crt from the server machine to the client machine (for Windows pgadmin %appdata%\postgresql\ or for Linux pgadmin ~/.postgresql/). Change the file permission of postgresql.key to restrict access to just you (probably not needed on Windows as the restricted access is already inherited). Remove the files from the server /tmp/ directory.
|
|
|
63 |
|
|
|
64 |
You must add "clientcert=1" to hostssl options for checking the client certificates, otherwise everyone will be granted access in your setup:
|
|
|
65 |
hostssl all postgres 0.0.0.0/0 trust clientcert=1
|
|
|
66 |
|
|
|
67 |
|