PostgreSQL SSL/TLS basics
Topic: Databases core
Summary
Enable SSL for PostgreSQL with ssl = on and server cert and key in postgresql.conf. Clients use sslmode=require or verify-full. Use this for encrypted connections and compliance.
Intent: How-to
Quick answer
- Set ssl = on and ssl_cert_file, ssl_key_file in postgresql.conf. Restart. chmod 600 key file.
- Clients use sslmode=require or verify-full. For verify-full set sslrootcert to CA. Test with psql.
- Verify in pg_stat_ssl. Rotate certs before expiry.
Prerequisites
Steps
-
Configure server SSL
postgresql.conf: ssl = on, ssl_cert_file, ssl_key_file. Restart. Secure key permissions.
-
Client and verify
Use sslmode=require or verify-full; sslrootcert for CA. Confirm encryption.
-
Maintain
Rotate certs before expiry; monitor pg_stat_ssl.
Summary
Enable SSL in PostgreSQL; connect with sslmode; verify and rotate certs.
Prerequisites
Steps
Step 1: Configure server SSL
Set ssl, cert, and key in postgresql.conf; restart; secure key.
Step 2: Client and verify
Use sslmode and sslrootcert; verify; rotate certs.
Verification
- pg_stat_ssl shows encrypted connections.
Troubleshooting
Handshake failed — Check cert paths and client CA. Cert expired — Rotate and restart.