|The PostgreSQL 9.0 Reference Manual - Volume 3 - Server Administration Guide
by The PostgreSQL Global Development Group
Paperback (6"x9"), 274 pages
RRP £9.95 ($14.95)
Sales of this book support the PostgreSQL project! Get a printed copy>>>
3.8.1 Using client certificates
To require the client to supply a trusted certificate, place
certificates of the certificate authorities (CAs)
you trust in the file ‘root.crt’ in the data
directory, and set the
1 on the appropriate
hostssl line(s) in
A certificate will then be requested from the client during
SSL connection startup. (See Volume 2: SSL Support for a
description of how to set up certificates on the client.) The server will
verify that the client's certificate is signed by one of the trusted
certificate authorities. Certificate Revocation List (CRL) entries
are also checked if the file ‘root.crl’ exists.
for diagrams showing SSL certificate usage.)
clientcert option in ‘pg_hba.conf’ is
available for all authentication methods, but only for rows specified as
clientcert is not specified
or is set to
0, the server will still verify presented client
certificates against ‘root.crt’ if that file exists--but it will not insist that a client certificate be presented.
Note that ‘root.crt’ lists the top-level CAs that are considered trusted for signing client certificates. In principle it need not list the CA that signed the server's certificate, though in most cases that CA would also be trusted for client certificates.
If you are setting up client certificates, you may wish to use
cert authentication method, so that the certificates
control user authentication as well as providing connection security.
See section 5.3.9 Certificate authentication for details.
|ISBN 9781906966072||The PostgreSQL 9.0 Reference Manual - Volume 3 - Server Administration Guide||See the print edition|