The PostgreSQL 9.0 Reference Manual - Volume 3 - Server Administration Guide by The PostgreSQL Global Development Group Paperback (6"x9"), 274 pages ISBN 9781906966072 RRP £9.95 ($14.95) Sales of this book support the PostgreSQL project! Get a printed copy>>>

PostgreSQL 9.0 Reference Manual Volume 3 Buy the book here! >>> learn more

3.8.1 Using client certificates

To require the client to supply a trusted certificate, place certificates of the certificate authorities (CAs) you trust in the file ‘root.crt’ in the data directory, and set the clientcert parameter to 1 on the appropriate hostssl line(s) in ‘pg_hba.conf’. A certificate will then be requested from the client during SSL connection startup. (See Volume 2: SSL Support for a description of how to set up certificates on the client.) The server will verify that the client's certificate is signed by one of the trusted certificate authorities. Certificate Revocation List (CRL) entries are also checked if the file ‘root.crl’ exists. (See http://h71000.www7.hp.com/DOC/83final/BA554_90007/ch04s02.html for diagrams showing SSL certificate usage.)

The clientcert option in ‘pg_hba.conf’ is available for all authentication methods, but only for rows specified as hostssl. When clientcert is not specified or is set to 0, the server will still verify presented client certificates against ‘root.crt’ if that file exists--but it will not insist that a client certificate be presented.

Note that ‘root.crt’ lists the top-level CAs that are considered trusted for signing client certificates. In principle it need not list the CA that signed the server's certificate, though in most cases that CA would also be trusted for client certificates.

If you are setting up client certificates, you may wish to use the cert authentication method, so that the certificates control user authentication as well as providing connection security. See section 5.3.9 Certificate authentication for details.