- publishing free software manuals
The PostgreSQL 9.0 Reference Manual - Volume 2 - Programming Guide
by The PostgreSQL Global Development Group
Paperback (6"x9"), 478 pages
ISBN 9781906966065
RRP £14.95 ($19.95)

Sales of this book support the PostgreSQL project! Get a printed copy>>>

1.17.2 Client certificates

If the server requests a trusted client certificate, libpq will send the certificate stored in the file ‘~/.postgresql/postgresql.crt’ in the user's home directory. The certificate must be signed by one of the certificate authorities (CA) trusted by the server. A matching private key file ‘~/.postgresql/postgresql.key’ must also be present. The private key file must not allow any access to world or group; achieve this by the command chmod 0600 ~/.postgresql/postgresql.key. On Microsoft Windows these files are named ‘%APPDATA%\postgresql\postgresql.crt’ and ‘%APPDATA%\postgresql\postgresql.key’, and there is no special permissions check since the directory is presumed secure. The location of the certificate and key files can be overridden by the connection parameters sslcert and sslkey or the environment variables PGSSLCERT and PGSSLKEY.

In some cases, the client certificate might be signed by an “intermediate” certificate authority, rather than one that is directly trusted by the server. To use such a certificate, append the certificate of the signing authority to the ‘postgresql.crt’ file, then its parent authority's certificate, and so on up to a “root” authority that is trusted by the server. The root certificate should be included in every case where ‘postgresql.crt’ contains more than one certificate.

Note that ‘root.crt’ lists the top-level CAs that are considered trusted for signing server certificates. In principle it need not list the CA that signed the client's certificate, though in most cases that CA would also be trusted for server certificates.

ISBN 9781906966065The PostgreSQL 9.0 Reference Manual - Volume 2 - Programming GuideSee the print edition