On 2019-10-17 07:20, raf wrote:
https://www.postgresql.org/docs/12/ssl-tcp.html says: "Using a passphrase also disables the ability to change the server's SSL configuration without a server restart."
This is actually no longer true since PostgreSQL 11. I have committed a fix.
How is key TLS key changed without a server restart? Is replacing the server.crt/server.key files enough or is there more to it?
You need to issue a reload, for example using SIGHUP. That is supported since PostgreSQL 10.
And will existing connections continue to use the old key until they disconnect?
yes -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
