Skip to main content

Creating SSL Certificates

The instructions in this section can be run on any Unix machine with openssl installed.

Certificates are required for authenticating the PostgreSQL client and server during database connections. To enable SSL connections between the Key Manager Servers and the Key Manager Database you must create the following files for the Key Manager Database:

  • server private key

  • server certificate

Furthermore, you must create the following files for each Key Manager Server:

  • client private key

  • client certificate

To create the necessary files:

  1. Create the server private key, and the server certificate:

    # openssl req -subj '/CN=pgserver.example.com' -x509 \
    -nodes -days 3650 -newkey rsa:2048 -extensions v3_ca \
    -keyout pgdbca.key -out pgdbca.crt

    The above command creates the server private key pgdbca.key, and the server certificate pgdbca.crt. The files are created to the current working directory.

    In the above example command, you can substitute the values for the following options:

    • subj: The subject of the certificate. By convention, the Common Name (CN) is set to the address of the server.

    • days: How many days the certificate is valid.

    • keyout: The file name for the new server private key.

    • out: The file name for the new server certificate.

  2. Create the client private key:

    # openssl genrsa -out client_postgresql.key 2048

    The above command creates the client private key client_postgresql.key to the current working directory.

    In the above example command, you can substitute the values in the following options:

    • out: The file name for the new client private key.

      If your Key Manager deployment contains multiple clients (Key Manager Servers), it is recommended that you name the client private key so that you know which client it is meant for. For example, you can name the key client_postgresql.key, where client is the name of the Key Manager Server.

  3. Generate a Certificate Signing Request (CSR) from the private key:

    # openssl req -subj '/CN=keymanager' -key client_postgresql.key \
    -new -out client_postgresql.csr

    The above command creates the client CSR client_postgresql.csr to the current working directory. The CSR is required later for creating the client certificate.

    In the above example command, you can substitute the values in the following options:

    • subj: The Common Name (CN) for the client. The CN must be equal to the Key Manager Database user. For example, if the name of the database user is keymanager, then this should be set to '/ CN=keymanager'

    • key: The path of the client private-key file, which was created in step 2.

    • out: The file name for the new client private key.

      If your Key Manager deployment contains multiple clients (Key Manager Servers), it is recommended that you name the client private key so that you know which client it is meant for. For example, you can name the key client_postgresql.key, where client is the name of the Key Manager Server.

  4. Then use the CSR to create the client certificate:

    # openssl x509 -days 3650 -req -in client_postgresql.csr -CA pgdbca.crt \
    -CAkey pgdbca.key -CAserial pgdbca.srl \
    -CAcreateserial -out client_postgresql.crt

    The above command creates the client certificate client_postgresql.crt to the current working directory.

    In the above example command, you can substitute the values in the following options:

    • in: The path of the CSR file, which was created in step 3.

    • CA: The path of the server certificate, which was created in step 1

    • CAkey: The path of the server private key, which was created in step 1

    • path_to_serial_file: The path of the new server serial. The default filename consists of the server certificate file base name with .srl appended. For example if the server certificate is at /etc/pki/tls/certs/pgdbca.crt, then this option should be set to /etc/pki/tls/certs/pgdbca.srl

    • out: The path of the new client certificate.

  5. Concatenate the CA certificate to the client certificate files:

    # cat pgdbca.crt >> client_postgresql.crt

  6. Repeat steps 2 through 5 to create client keys and certificates for additional Key Manager Servers.

You have now created the necessary key and certificate files. Instructions for setting up the keys and certificates is provided in the following sections.