Tuesday, August 18, 2009

SSL enabling Postgresql

1) Copy some 5 random selected files to /usr/share/ssl for random seeding. eg of files f1, f2, f3, f4, f5

2) Create RSA private key not protected with pass phrase
/usr/share/ssl
openssl genrsa -rand f1:f2:f3:f4:f5 -out server.key 1024
Now backup the server.key.

3) Now generate the Certificate Signing Request (CSR) with RSA private key. The command below prompt for X.509 attrib of the certificate. When prompted for Common Name give FQDN

openssl req -new -key server.key -out server.csr

After generation of CSR you may send this certificate to a commercial CA like Verisign. You have to post your CSR into webform, pay for it await signed certificate and store it into server.crt. This is real certificate.

4) If you want a self certificate you should have a CA keypair first (Refer Openssl Docs)

/usr/share/ssl/misc/ sign.sh server.csr

This signs CSR and result is in server.crt.

5) Now we must place the certificate file server.crt and key server.key in /var/lib/pgsql/data directory.

chmod 0400 server.key server.crt
chown postgres:postgres server.crt server.key

6) Now edit postgresql.conf and put ssl=true.

No comments: