Hi, I've got it so far: Server-OS: Debian 3.1 sarge PostgreSQL: Debian's binary PG 8.1.8 (still the most recent version available) Following a tutorial (actually for OpenVPN as I didn't find any for PG that goes beyond what is found in the main docu) I created a CA, server and client certificate, updated postgresql.conf and pg_hba.conf, did a restart of PG and connected from a windows box with pgAdmin. NICE :) Now as far as I see, even though I have my postgresql.crt+key in place, I still have to provide username and password, right? The server rejects my connection attempt if I move postgresql.crt+key away. Thats to be expected. Can I further check the security of the server? The aim will be to have the port open to the Internet. How can I check that PG accepts only keys produced by my CA? What would be the correct "Common Name" of a client? I read that the client can maintain a file root.crt to check the identity of the db-server. Is this the root.crt that sits in PG's data-directory or is it the server.crt ? In the documentation there is a certificate-revocation-list-file mentioned. I suspect this is to revoke a formerly granted key that got lost or is owned by a person who shouldn't be allowed to access the dbms anymore. How is this CRL file set up? Is there a documentation, that covers those matters more deeply than chapter 16.8 and 20.1 of PG's main documentation? Especially the whole client-side topic is rather thin for a newbie. Regards Andreas
