SSL Certificates For PostgreSQL

This describes how to set up ssl certificates to enable encrypted connections from PgAdmin on some client machine to postgresql on a server machine. The assumption is that postgresql (compiled with ssl support) and openssl are already installed and functional on the server (Linux). PgAdmin is already installed on the client (either Windows or Linux).

On the server, three certificates are required in the data directory. CentOS default is /var/lib/pgsql/data/:
root.crt (trusted root certificate)
server.crt (server certificate)
server.key (private key)

Issue commands as root.

sudo -

cd /var/lib/pgsql/data

Generate a private key (you must provide a passphrase).

openssl genrsa -des3 -out server.key 1024

Remove the passphrase.

openssl rsa -in server.key -out server.key

Set appropriate permission and owner on the private key file.

chmod 400 server.key
chown postgres.postgres server.key

Create the server certificate.
-subj is a shortcut to avoid prompting for the info.
-x509 produces a self signed certificate rather than a certificate request.

openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=CA/ST=British [email protected]'

Since we are self-signing, we use the server certificate as the trusted root certificate.

cp server.crt root.crt

You'll need to edit pg_hba.conf. For example:

# "local" is for Unix domain socket connections only
local   all         all                               trust
# IPv4 local connections:
host    all         all          trust

# IPv4 remote connections for authenticated users hostssl all www-data md5 clientcert=1
hostssl all postgres md5 clientcert=1

You need to edit postgresql.conf to actually activate ssl:

ssl = on

Postgresql server must be restarted.

/etc/init.d/postgresql restart

If the server fails to (re)start, look in the postgresql startup log, /var/lib/pgsql/pgstartup.log default for CentOS, for the reason.

On the client, we need three files. For Windows, these files must be in %appdata%\postgresql\ directory. For Linux ~/.postgresql/ directory.
root.crt (trusted root certificate)
postgresql.crt (client certificate)
postgresql.key (private key)

Generate the the needed files on the server machine, and then copy them to the client. We'll generate the needed files in the /tmp/ directory.

First create the private key postgresql.key for the client machine, and remove the passphrase.

openssl genrsa -des3 -out /tmp/postgresql.key 1024

openssl rsa -in /tmp/postgresql.key -out /tmp/postgresql.key

Then create the certificate postgresql.crt. It must be signed by our trusted root (which is using the private key file on the server machine). Also, the certificate common name (CN) must be set to the database user name we'll connect as.

openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj '/C=CA/ST=British Columbia/L=Comox/'

openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial

Copy the three files we created from the server /tmp/ directory to the client machine.

Copy the trusted root certificate root.crt from the server machine to the client machine (for Windows pgadmin %appdata%\postgresql\ or for Linux pgadmin ~/.postgresql/). Change the file permission of postgresql.key to restrict access to just you (probably not needed on Windows as the restricted access is already inherited). Remove the files from the server /tmp/ directory.

Share this page:

8 Comment(s)

Add comment


From: Gurjeet Singh at: 2011-01-03 19:20:13

Using /tmp directory to generate certificates is simply asking for trouble. I am not sure what permissions OpenSSL uses when creating files, but anything in /tmp is world-readable by default, hence insecure since anybody can copy it from there before you get a chance to delete the files.



From: Jason Smith at: 2011-01-05 10:07:14

I think the same process can be used if you are using other certificates. I use a Quick SSL and used the above process and it was successful. What do you think, will i face any problems later?

From: Vince Herried at: 2011-04-16 01:31:16

in the last steps u say copy the the three files generated on

/tmp on the server to the client.

Where on the client?

u say copy root.crt into pgadmin ~/.posgresql/ 

I have no directory by that name. Huh... user pgadmin?

or user 'vince' ( me )

I'm running Fedora F14  postgresql-8.4.7-1


From: at: 2011-05-25 16:31:19

As user "vince". That is, as the user (on the client machine) you normally work as.

You need to create the directory on the client machine:mkdir ~/.postgresql

After copying the three files from the server (/tmp/{postgresql.key,postgresql.crt,root.crt}) to the client machine (into directory ~/.postgresql/), you'll need to set the permission of the key to not world readable: chmod 0400 ~/.postgresql/postgresql.key

On windows, permissions in the are handled automatically for you.

From: Jean-Yves F. Barbier at: 2011-05-30 14:42:56


I followed this HOWTO but found the last command is wrong; ORG code is:

openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial

but should be:

openssl x509 -req -in server.req -out /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial

Anyway, thanks for this excellent HOWTO as it is only using the user name and thus permits a real easy use when you don't have an official IP address nor domain :)


From: gwyn at: 2011-10-24 14:14:27

You must add "clientcert=1" to hostssl options for checking the client certificates, otherwise everyone will be granted access in your setup:
hostssl all postgres trust clientcert=1
See: PostgreSQL documentation, 17.9.1. Using Client Certificates

From: Jeff E Mandel at: 2016-02-21 23:12:12

If you want to use this with certificates from, you are limited in what you can place in the CN of the certificate. The workaround is to create server certificates for users in your domain and use a map. Thus, I create a csr on my client machine:

cd ~/.postgresql

openssl req -out postgresql.csr -new -newkey rsa:2048 -nodes -keyout postgresql.key


Specifying Paste the CSR into, and save the resulting certificate as ~/.postgresql/postgresql.crt (you might also need place the root cert in that directory).


On the server, in pg_hba:


hostnossl  all all reject

hostssl    all all cert map=ssl clientcert=1


In pg_ident:


ssl /^(.*).mydomain\.org$ \1


Now you can connect from the client:


psql -h

psql (9.4.6, server 9.4.1)


SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)


Next project - figure out how to make this work with JDBC




From: Slobodan Vesovic at: 2016-09-30 10:07:07

Tnx! Very helpful