Skip to main content

Setting Up Client Certificates

The instructions in this section are to be performed on all the Key Manager Servers.

  1. Create the directory for the client certificates:

    # mkdir /var/lib/sshmgr/.postgresql

    Place the client key and the client certificate to this directory.

    You can use client_postgresql.key as the client key, and client_postgresql.crt as the client certificate (these were created in Creating SSL Certificates).

  2. Rename the client key and client certificate to the following:

    • Client key: postgresql.key

    • Client certificate: postgresql.crt

  3. Set the necessary permissions for the certificate directory and for the files in it.

    The certificate directory and its files must be owned by sshmgr:tectia. Furthermore, the client key must disallow access to world and group. The certificate file must be readable by the sshmgr user.

    The correct permissions can be achieved with the following commands:

    # chown -R sshmgr:tectia /var/lib/sshmgr/.postgresql
    # chmod 0600 /var/lib/sshmgr/.postgresql/postgresql.key
    # chmod 0644 /var/lib/sshmgr/.postgresql/postgresql.crt

    You have now set up the necessary certificates to allow the Key Manager Server to connect to the Key Manager Database using SSL-secured connections. You can now run ssh-mgr-setup on the Key Manager Server to finalize the settings.

    For information about setting up Key Manager Servers, see Setting Up Key Manager Servers.