标签:cert x509 create inf 客户 tmp res mod 需要
服务器端需生成三个文件: root.crt(根证书)、server.crt(服务器证书)、server.key(服务器私钥)
## 此处需输入密码,并需要再次确认输入密码
openssl genrsa -des3 -out server.pem 2048
需移除密码,否则数据库重启时会出现异常
openssl rsa -in server.pem -out server.key
# 此处可以一路enter,不用输入
openssl req -new -key server.key -days 3650 -out server.crt -x509
openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj ‘/C=CA/ST=British Columbia/L=Comox/O=TheBrain.ca/CN=thebrain.ca/emailAddress=info@thebrain.ca‘
说明:
| Unit | 说明 | 示例 |
|---|---|---|
/C= |
Country | CN |
/ST= |
State | guangzhou |
/L= |
Location | gz |
/O |
Organization | Global Security |
/OU=(optional) |
Organizational Unit | IT Department |
/CN= |
Common Name | example |
/emailAddress= |
email@example.com |
由于没有公证机构提供,只能使用自签名证书,因此可以将服务器证书作为根证书
cp server.crt root.crt
ls -l server.key
chown postgres:postgres server.key
chmod 600 server.key
错误信息:
private key file "server.key" has group or world access
File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.
ssl = on
ssl_ca_file = ‘root.crt‘
ssl_cert_file = ‘server.crt‘
ssl_key_file = ‘server.key‘
hostssl all postgres 0.0.0.0/0 md5 clientcert=1
pg_ctl stop
pg_ctl start
psql "sslmode=require host=localhost dbname=postgres"
客户端需要三个文件: root.crt(根证书)、postgresql.crt(客户端证书)、postgresql.key(客户端私钥)
## 此处需输入密码,并需要再次确认输入密码
openssl genrsa -des3 -out postgresql.pem 2048
openssl rsa -in postgresql.pem -out postgresql.key
# Common Name (e.g. server FQDN or YOUR name) []:postgres该项必须设置为要连接postgresql数据库的用户名,否则会默认使用当前计算机的用户名,导致证书使用时,认证失败。
openssl req -new -key postgresql.key -out postgresql.csr
or
openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj ‘/C=CA/ST=British Columbia/L=Comox/O=TheBrain.ca/CN=www-data‘
openssl x509 -req -days 3650 -in postgresql.csr -CA root.crt -CAkey server.key -out postgresql.crt -CAcreateserial
标签:cert x509 create inf 客户 tmp res mod 需要
原文地址:https://www.cnblogs.com/binliubiao/p/14044573.html
