On Thu, Oct 17, 2019 at 04:20:42PM +1100, raf wrote: > Hi, > > https://www.postgresql.org/docs/12/ssl-tcp.html says: > > "Using a passphrase also disables the ability to > change the server's SSL configuration without a > server restart." > > How is key TLS key changed without a server restart? > Is replacing the server.crt/server.key files enough > or is there more to it? > > And will existing connections continue to use the old > key until they disconnect? The Postgres docs say: https://www.postgresql.org/docs/12/ssl-tcp.html#SSL-SERVER-FILES The server reads these files at server start and whenever the server configuration is reloaded. On Windows systems, they are also re-read whenever a new backend process is spawned for a new client connection. I actually don't know if existing sessions start using the new certificate, or just new sessions. This doc sentence suggests even existing sessions use the new certificate: If an error in these files is detected at server start, the server will refuse to start. But if an error is detected during a configuration reload, the files are ignored and the old SSL configuration continues to be used. -- Bruce Momjian <bruce@xxxxxxxxxx> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
