We're running PostgreSQL 8.3.5 on Windows in production (and it's a
spectacular piece of software) and we have 8.3.5 and 8.4 on Windows in
our testing environments. I've created a Certificate Authority
root.crt root certificate (internal to the company) and used it to
sign a server.key and server.crt file. All of the openssl commands I
ran (using openssl on Cygwin) to create a key used -newkey rsa:2048 as
an option. The resulting root.crt file and server.crt file can (and
have) been installed in the normal Windows certificate store - so at
least Windows Vista finds the format acceptable.
In PostgreSQL 8.3.5, I modified postgresql.conf and set ssl=on and
ssl_ciphers = ALL. I modified pg_hba.conf to have all of the
connections as "hostssl all all 192.168._._/16 md5". (obviously
replacing _._ with the IP of each machine that could connect). I put
root.crt, server.key, and server.crt into the 8.3.5 data directory.
When I restart the pgsql-8.3 service, it starts fine. I can connect
normally through SSL with psql, pgAdmin3, and JDBC from any of the
allowed pg_hba entries.
On the exact same server, I stop PostgreSQL 8.3.5 (pgsql-8.3 service).
I copy the same pg_hba.conf and postgresql.conf settings to the
PostgreSQL 8.4 installation. I copy the same root.crt, server.key,
and server.crt files into the PostgreSQL 8.4 data directory. I have
used both Windows Explorer and Cygwin "ls -l" and "getacl" commands to
verify that the permissions are identical. When I try to start the
PostgreSQL 8.4 service, it takes a long time and then reports that it
did not start. The Event Viewer has an error message "EDTFATAL: could
not load root certificate file "root.crt": Input/output error"
Any ideas?
Thanks.
-Mike
