Read the entries listed here: http://archives.postgresql.org/pgsql-admin/2006-10/msg00103.php Everything came together for me with: http://www.postgresql.org/docs/8.1/interactive/libpq-ssl.html You might want to state your goals, because the config varies depending on what you are trying to accomplish. On Sun, Jun 03, 2007 at 12:20:25AM +0200, Andreas wrote: > Hi, > > I've got it so far: > Server-OS: Debian 3.1 sarge > PostgreSQL: Debian's binary PG 8.1.8 (still the most recent version > available) > > Following a tutorial (actually for OpenVPN as I didn't find any for PG > that goes beyond what is found in the main docu) I created a CA, server > and client certificate, updated postgresql.conf and pg_hba.conf, did a > restart of PG and connected from a windows box with pgAdmin. > NICE :) > > Now as far as I see, even though I have my postgresql.crt+key in place, > I still have to provide username and password, right? > > The server rejects my connection attempt if I move postgresql.crt+key > away. Thats to be expected. > Can I further check the security of the server? The aim will be to have > the port open to the Internet. > > How can I check that PG accepts only keys produced by my CA? > > What would be the correct "Common Name" of a client? > > I read that the client can maintain a file root.crt to check the > identity of the db-server. > Is this the root.crt that sits in PG's data-directory or is it the > server.crt ? > > In the documentation there is a certificate-revocation-list-file mentioned. > I suspect this is to revoke a formerly granted key that got lost or is > owned by a person who shouldn't be allowed to access the dbms anymore. > How is this CRL file set up? > > > Is there a documentation, that covers those matters more deeply than > chapter 16.8 and 20.1 of PG's main documentation? > Especially the whole client-side topic is rather thin for a newbie. > > > Regards > Andreas > > > ---------------------------(end of broadcast)--------------------------- > TIP 1: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@xxxxxxxxxxxxxx so that your > message can get through to the mailing list cleanly
