|The PostgreSQL 9.0 Reference Manual - Volume 2 - Programming Guide
by The PostgreSQL Global Development Group
Paperback (6"x9"), 478 pages
RRP £14.95 ($19.95)
Sales of this book support the PostgreSQL project! Get a printed copy>>>
1.17.2 Client certificates
If the server requests a trusted client certificate,
libpq will send the certificate stored in the file ‘~/.postgresql/postgresql.crt’ in the user's home
directory. The certificate must be signed by one of the certificate
authorities (CA) trusted by the server. A matching
private key file ‘~/.postgresql/postgresql.key’ must also
be present. The private
key file must not allow any access to world or group; achieve this by the
chmod 0600 ~/.postgresql/postgresql.key.
On Microsoft Windows these files are named
‘%APPDATA%\postgresql\postgresql.key’, and there
is no special permissions check since the directory is presumed secure.
The location of the certificate and key files can be overridden by the
sslkey or the
In some cases, the client certificate might be signed by an “intermediate” certificate authority, rather than one that is directly trusted by the server. To use such a certificate, append the certificate of the signing authority to the ‘postgresql.crt’ file, then its parent authority's certificate, and so on up to a “root” authority that is trusted by the server. The root certificate should be included in every case where ‘postgresql.crt’ contains more than one certificate.
Note that ‘root.crt’ lists the top-level CAs that are considered trusted for signing server certificates. In principle it need not list the CA that signed the client's certificate, though in most cases that CA would also be trusted for server certificates.
|ISBN 9781906966065||The PostgreSQL 9.0 Reference Manual - Volume 2 - Programming Guide||See the print edition|