|PostgreSQL 7.4.30 Documentation|
|Prev||Fast Backward||Chapter 16. Server Run-time Environment||Fast Forward||Next|
PostgreSQL has native support for using SSL connections to encrypt client/server communications for increased security. This requires that OpenSSL is installed on both client and server systems and that support in PostgreSQL is enabled at build time (see Chapter 14).
With SSL support compiled in, the PostgreSQL server can be started with SSL enabled by setting the parameter ssl to on in postgresql.conf. When starting in SSL mode, the server will look for the files server.key and server.crt in the data directory, which should contain the server private key and certificate, respectively. These files must be set up correctly before an SSL-enabled server can start. If the private key is protected with a passphrase, the server will prompt for the passphrase and will not start until it has been entered.
The server will listen for both standard and SSL connections on the same TCP port, and will negotiate with any connecting client on whether to use SSL. See Chapter 19 about how to force the server to require use of SSL for certain connections.
For details on how to create your server private key and certificate, refer to the OpenSSL documentation. A simple self-signed certificate can be used to get started for testing, but a certificate signed by a certificate authority (CA) (either one of the global CAs or a local one) should be used in production so the client can verify the server's identity. To create a quick self-signed certificate, use the following OpenSSL command:
openssl req -new -text -out server.req
Fill out the information that openssl asks for. Make sure that you enter the local host name as "Common Name"; the challenge password can be left blank. The program will generate a key that is passphrase protected; it will not accept a passphrase that is less than four characters long. To remove the passphrase (as you must if you want automatic start-up of the server), run the commands
openssl rsa -in privkey.pem -out server.key rm privkey.pem
Enter the old passphrase to unlock the existing key. Now do
openssl req -x509 -in server.req -text -key server.key -out server.crt chmod og-rwx server.key
to turn the certificate into a self-signed certificate and to copy the key and certificate to where the server will look for them.
Note that if you do not do this as "postgres" (on my system openssl is locked down using ACLs so I cannot), you MUST ensure that the key and certificate are owned by postgres.
In any case these files need to be given 0400 (or possibly 0440)permissions.
the option '-days 365' is usefull in the 'openssl req' command,
otherwise your certificate is only valid for a month