David,
First step - well before placing your certificates correctly, is to be sure your PostgreSQL _server_ has been compiled with SSL support. From that message, it seems it isn't... >From there, you have to place all the certificates and keys in correct >locations - but I think you're not quite there yet. To get yourself going, why not first set up a pg_hba.conf configuration using hostssl, but skip the certificate usage for the moment... Probably a bit to handle all at once; SSL plus the certificate authentication all in one go... Lou Picciano ----- Original Message ----- From: "David Patricola" <david.patric...@jefferson.edu> To: openssl-users@openssl.org Sent: Monday, January 31, 2011 4:10:10 PM Subject: RE: First time attempting PostgreSQL SSL I found an excellent tutorial on this: http://www.howtoforge.com/postgresql-ssl-certificates I followed the instructions perfectly, and used my client computer's IP address as the CA. Here's my setup so far: On the server: - In Postgre data/ I have the server.crt and server.key files - pg_hba.conf has hostssl all all myipaddress/32 cert - postgresql.conf has ssl = on - I restarted the service and it connected. On the client: - In my %appdata%/postgresql folder I have postgresql.crt, postgresql.csr, postgresql.key and root.crt After this, I try to connect to the server again from my client box and it says "server does not support SSL, but SSL is required". Would this be a Postgre issue or did I not put a certificate file correctly somewhere? -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Alan Buxey Sent: Saturday, January 29, 2011 3:21 PM To: openssl-users@openssl.org Subject: Re: First time attempting PostgreSQL SSL Hi, > I’m new as can be with creating SSL certificates on my own. I downloaded > the openssl binary and installed it. The instructions and tutorials on > the website don’t help me much in terms of steps A,B,C; this could also be > due to a lack of familiarity with technical terms used for each part of > this. The only thing I did accomplish is the following > > > > openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout > privateKey.key > > > > I now have a privateKey and CSR file in the openssl/bin folder. Beyond > this I do not know what goes where. I’m on Windows 2003 (server) and > Windows XP (client). I know what to change in the PostgreSQL config but > do not know if PostgreSQL implicitly knows that a certificate exists, and > what the client box should have. you probably want to check the postgreSQL documentation for where and how to use the certs - as this is not specific to OpenSSL. anyway, in general terms...you now have a private key - good, the PSQL server would have that.... you need to get your CSR signed by a CA that the client knows..... you then would configure PSQL to use the public version of the signed CSR - usually a DER or PEM file by that point. at this point, its just like a client talking to an SSL'd web server (or any other service). client connects, gets given the cert...which it trusts (because of CA) and then SLS tunnel gets made. data is transferred over that tunnel. alan ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
