Read the entries listed here:
http://archives.postgresql.org/pgsql-admin/2006-10/msg00103.php
Everything came together for me with:
http://www.postgresql.org/docs/8.1/interactive/libpq-ssl.html
You might want to state your goals, because the config varies depending
on what you are trying to accomplish.
On Sun, Jun 03, 2007 at 12:20:25AM +0200, Andreas wrote:
> Hi,
>
> I've got it so far:
> Server-OS: Debian 3.1 sarge
> PostgreSQL: Debian's binary PG 8.1.8 (still the most recent version
> available)
>
> Following a tutorial (actually for OpenVPN as I didn't find any for PG
> that goes beyond what is found in the main docu) I created a CA, server
> and client certificate, updated postgresql.conf and pg_hba.conf, did a
> restart of PG and connected from a windows box with pgAdmin.
> NICE :)
>
> Now as far as I see, even though I have my postgresql.crt+key in place,
> I still have to provide username and password, right?
>
> The server rejects my connection attempt if I move postgresql.crt+key
> away. Thats to be expected.
> Can I further check the security of the server? The aim will be to have
> the port open to the Internet.
>
> How can I check that PG accepts only keys produced by my CA?
>
> What would be the correct "Common Name" of a client?
>
> I read that the client can maintain a file root.crt to check the
> identity of the db-server.
> Is this the root.crt that sits in PG's data-directory or is it the
> server.crt ?
>
> In the documentation there is a certificate-revocation-list-file mentioned.
> I suspect this is to revoke a formerly granted key that got lost or is
> owned by a person who shouldn't be allowed to access the dbms anymore.
> How is this CRL file set up?
>
>
> Is there a documentation, that covers those matters more deeply than
> chapter 16.8 and 20.1 of PG's main documentation?
> Especially the whole client-side topic is rather thin for a newbie.
>
>
> Regards
> Andreas
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly