1) Copy some 5 random selected files to /usr/share/ssl for random seeding. eg of files f1, f2, f3, f4, f5
2) Create RSA private key not protected with pass phrase
/usr/share/ssl
openssl genrsa -rand f1:f2:f3:f4:f5 -out server.key 1024
Now backup the server.key.
3) Now generate the Certificate Signing Request (CSR) with RSA private key. The command below prompt for X.509 attrib of the certificate. When prompted for Common Name give FQDN
openssl req -new -key server.key -out server.csr
After generation of CSR you may send this certificate to a commercial CA like Verisign. You have to post your CSR into webform, pay for it await signed certificate and store it into server.crt. This is real certificate.
4) If you want a self certificate you should have a CA keypair first (Refer Openssl Docs)
/usr/share/ssl/misc/ sign.sh server.csr
This signs CSR and result is in server.crt.
5) Now we must place the certificate file server.crt and key server.key in /var/lib/pgsql/data directory.
chmod 0400 server.key server.crt
chown postgres:postgres server.crt server.key
6) Now edit postgresql.conf and put ssl=true.
No comments:
Post a Comment