If the server attempts to verify the identity of the
client by requesting the client's leaf certificate,
-
libpq will send the certificate
s stored in
+
libpq will send the certificate
(s) stored in
file ~/.postgresql/postgresql.crt in the user's home
directory. The certificates must chain to the root certificate trusted
by the server. A matching
private key file ~/.postgresql/postgresql.key must also
- be present. The private
- key file must not allow any access to world or group; achieve this by the
- command chmod 0600 ~/.postgresql/postgresql.key.
+ be present.
On Microsoft Windows these files are named
%APPDATA%\postgresql\postgresql.crt and
- %APPDATA%\postgresql\postgresql.key, and there
- is no special permissions check since the directory is presumed secure.
+ %APPDATA%\postgresql\postgresql.key.
The location of the certificate and key files can be overridden by the
- connection parameters sslcert and sslkey or the
+ connection parameters sslcert
+ and sslkey, or by the
environment variables PGSSLCERT and PGSSLKEY.
+ On Unix systems, the permissions on the private key file must disallow
+ any access to world or group; achieve this by a command such as
+ chmod 0600 ~/.postgresql/postgresql.key.
+ Alternatively, the file can be owned by root and have group read access
+ (that is, 0640 permissions). That setup is intended
+ for installations where certificate and key files are managed by the
+ operating system. The user of
libpq should
+ then be made a member of the group that has access to those certificate
+ and key files. (On Microsoft Windows, there is no file permissions
+ check, since the %APPDATA%\postgresql directory is
+ presumed secure.)
+
+
The first certificate in postgresql.crt must be the
client's certificate because it must match the client's private key.
projects / postgresql.git / commitdiff