"Zwettler Markus (OIZ)" <Markus.Zwettler@xxxxxxxxxx> writes: > I am playing around with postgres ssl encryption. I am confused about client certificate authentication: > <quote> > The second approach combines any authentication method for hostssl entries with the verification of client certificates by setting the clientcert authentication option to verify-ca or verify-full. The former option only enforces that the certificate is valid, while the latter also ensures that the cn (Common Name) in the certificate matches the user name or an applicable mapping. > </quote> > https://www.postgresql.org/docs/12/ssl-tcp.html Given that your server is 9.6.x, you're reading the wrong version of the docs. Per https://www.postgresql.org/docs/9.6/auth-pg-hba-conf.html the only clientcert value that does anything is "1": In addition to the method-specific options listed below, there is one method-independent authentication option clientcert, which can be specified in any hostssl record. When set to 1, this option requires the client to present a valid (trusted) SSL certificate, in addition to the other requirements of the authentication method. regards, tom lane
