-
-
Save MikeVL/fc77b3da29767bf337020b30475a69f0 to your computer and use it in GitHub Desktop.
Revisions
-
achesco revised this gist
Mar 27, 2018 . 1 changed file with 5 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,13 +1,13 @@ _CNs are important!!! -days 3650_ #### Create a Certificate Signing Request (CN=localhost) ```bash umask u=rw,go= && openssl req -days 3650 -new -text -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/[email protected]/CN=localhost' -keyout server.key -out server.csr ``` #### Generate self-signed certificate ```bash umask u=rw,go= && openssl req -days 3650 -x509 -text -in server.csr -key server.key -out server.crt ``` #### Also make the server certificate to be the root-CA certificate @@ -24,12 +24,12 @@ rm server.csr #### Create a Certificate Signing Request (CN=db-user) ```bash umask u=rw,go= && openssl req -days 3650 -new -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/[email protected]/CN=chesco' -keyout client.key -out client.csr ``` #### Create a signed certificate for the client using our root certificate ```bash umask u=rw,go= && openssl x509 -days 3650 -req -CAcreateserial -in client.csr -CA root.crt -CAkey server.key -out client.crt ``` #### Remove the now-redundant CSR -
Mar 27, 2018 . No changes.There are no files selected for viewing
-
Mar 27, 2018 . 1 changed file with 30 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,42 +5,59 @@ _CNs are important!!! -days 365_ umask u=rw,go= && openssl req -days 365 -new -text -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/[email protected]/CN=localhost' -keyout server.key -out server.csr ``` #### Generate self-signed certificate ```bash umask u=rw,go= && openssl req -days 365 -x509 -text -in server.csr -key server.key -out server.crt ``` #### Also make the server certificate to be the root-CA certificate ```bash umask u=rw,go= && cp server.crt root.crt ``` #### Remove the now-redundant CSR ```bash rm server.csr ``` ### Generate client certificates to be used by clients/connections #### Create a Certificate Signing Request (CN=db-user) ```bash umask u=rw,go= && openssl req -days 365 -new -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/[email protected]/CN=chesco' -keyout client.key -out client.csr ``` #### Create a signed certificate for the client using our root certificate ```bash umask u=rw,go= && openssl x509 -days 365 -req -CAcreateserial -in client.csr -CA root.crt -CAkey server.key -out client.crt ``` #### Remove the now-redundant CSR ```bash rm client.csr ``` #### Edit postgresql.conf ```apache ssl = on ssl_cert_file = 'server.crt' ssl_key_file = 'server.key' ssl_ca_file = 'root.crt' ``` #### Edit pg_hba.conf ```apache hostssl all all ::1/128 cert clientcert=1 hostssl all all 127.0.0.1/32 cert clientcert=1 #host all all 127.0.0.1/32 md5 #host all all 127.0.0.1/32 trust #host all all ::1/32 trust ``` #### Connect: ```bash psql "host=localhost dbname=dbName user=chesco sslmode=verify-ca \ sslcert=client.crt \ sslkey=client.key \ sslrootcert=root.crt" ``` -
Mar 27, 2018 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,9 +1,9 @@ _CNs are important!!! -days 365_ #### Create a Certificate Signing Request (CN=localhost) ```bash umask u=rw,go= && openssl req -days 365 -new -text -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/[email protected]/CN=localhost' -keyout server.key -out server.csr ``` # Generate self-signed certificate umask u=rw,go= && openssl req -days 365 -x509 -text -in server.csr -key server.key -out server.crt -
Mar 27, 2018 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,7 +1,7 @@ _CNs are important!!! -days 365_ #### Create a Certificate Signing Request #### CN=localhost umask u=rw,go= && openssl req -days 365 -new -text -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/emailAddress=[email protected]/CN=localhost' -keyout server.key -out server.csr -
Mar 27, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,46 @@ # CNs are important!!! -days 365 # Create a Certificate Signing Request # CN=localhost umask u=rw,go= && openssl req -days 365 -new -text -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/emailAddress=[email protected]/CN=localhost' -keyout server.key -out server.csr # Generate self-signed certificate umask u=rw,go= && openssl req -days 365 -x509 -text -in server.csr -key server.key -out server.crt # Also make the server certificate to be the root-CA certificate umask u=rw,go= && cp server.crt root.crt # Remove the now-redundant CSR rm server.csr # Generate client certificates to be used by clients/connections # Create a Certificate Signing Request # CN=db-user umask u=rw,go= && openssl req -days 365 -new -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/emailAddress=[email protected]/CN=chesco' -keyout client.key -out client.csr # Create a signed certificate for the client using our root certificate. umask u=rw,go= && openssl x509 -days 365 -req -CAcreateserial -in client.csr -CA root.crt -CAkey server.key -out client.crt # Remove the now-redundant CSR rm client.csr # Edit postgresql.conf ssl = on ssl_cert_file = 'server.crt' ssl_key_file = 'server.key' ssl_ca_file = 'root.crt' # Edit pg_hba.conf hostssl all all ::1/128 cert clientcert=1 hostssl all all 127.0.0.1/32 cert clientcert=1 #host all all 127.0.0.1/32 md5 #host all all 127.0.0.1/32 trust #host all all ::1/32 trust # Connect: psql "host=localhost dbname=dbName user=chesco sslmode=verify-ca \ sslcert=client.crt \ sslkey=client.key \ sslrootcert=root.crt"