>a separate application server
Well this can be a solution in a trustworthy and friendly environment, on
which I can't count.
I would have been more at ease if libpq could manage a PKCS12 cert. or some
secure wallet/keystore that contains both the public and private keys for SSL
traffic. Neither the end user nor any admin would have to provide the password
to access the keys inside the secured storage as I would have prefered to
hard-code the password. Hard coding is not an elegant solution I agree, but
leaving on the table an unencrypted private key is not something to do IMO.
Any way, thank you for the feedback which has been instructive.
