To allow connection to the PostgreSQL database using secured SSL/TLS connection, both the database server and client (or another PostgreSQL database server) have to be properly configured.
Step-by-step guide
Configure PostgreSQL server for SSL/TLS connection
Create / download trusted root certificate.
Create server certificate and private keys for your PostgreSQL server.
server.crt (server certificate)
server.key (private key)
Please note that certificate's subject CN (Common Name) must be equal to PostgreSQL server's domain name.
In case your key/certificate is in a different format than specified, you can convert it following the guide in Conversions between different keystores and certificate types.
Copy your root certificate, server certificate and private key to PostgreSQL's
/data
folder, named as root.crt, server.key and server.crt .- Verify if the file postgresql.conf in PostgreSQL's data folder supports SSL connection, meaning the configuration property "ssl" has to be set accordingly: ssl = on
Configure the hosts that are required to use SSL/TLS connection in pg_hba.conf in PostgreSQL's data folder, by using hostssl instead of host, e.g.
hostssl <database name> <db user name> <IP of the client>/
32
md5
Restart the postgresql service
Configure the client
Create client certificate and private key and sign the certificate by the server's root certificate.
root.crt (trusted certificate authorities)
postgresql.crt (client certificate)
postgresql.key (client private key)
Note that certificate's CN (Common Name) must be equal to the database user name you’ve set in the pg_hba.conf server configuration.
These files must be in the following directories:
%appdata%\postgresql\ - This directory is used by the installer
C:\Windows\system32\config\systemprofile\AppData\Roaming\postgresql\ - This directory is used by Dispatcher Paragon
Using option clientcert=1 in pg_hba.conf will require the presence of the certificate on client machine.
For more information how to create a certificate please see System communication hardening article.
More information about the SSL configuration could be found in official PostgreSQL documentation https://www.postgresql.org/docs/16/ssl-tcp.html and https://www.postgresql.org/docs/16/libpq-ssl.html.
Useful article https://dzone.com/articles/establish-a-secure-ssl-connection-to-postgresql-db.