On Wed, Apr 09, 2014 at 12:28:14PM -0700, Paul Jungwirth wrote:
> Hello,
>
> In light of the "Heartbleed" OpenSSL bug[0,1], I'm wondering if I need
> to regenerate the SSL certs on my postgres installations[2] (at least
> the ones listening on more than localhost)? On Ubuntu it looks like
> there are symlinks at /var/lib/postgresql/9.1/main/server.{crt,key}
> pointing to /etc/ssl/private/ssl-cert-snakeoil.{pem,key}. Is there any
> documentation on how to regenerate these? Are they self-signed? Can I
> replace them with my own self-signed certs, like I'd do with Apache or
> Nginx?
Have you read the Debian README?
/usr/share/doc/postgresql-*/README.Debian.gz
It talks about how the certificates are made. It uses the ssl-cert
package to make them, there's more docs there.
Yes, you can make your own self-signed certs and use them.
Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> He who writes carelessly confesses thereby at the very outset that he does
> not attach much importance to his own thoughts.
-- Arthur Schopenhauer