Thread: certs in connection string
I’m confused, as usual, about using a cert in a connection string. I wish to connect form a “middle ware” piece to PG onbe half of various clients. Does each client need a corresponding cert/key or is the certification intended to say the sending machine is who it saysit is (thereby needing only one cert)
On Sat, 2021-02-13 at 09:57 -0700, Rob Sargent wrote: > I’m confused, as usual, about using a cert in a connection string. I wish to connect form a > “middle ware” piece to PG on be half of various clients. Does each client need a corresponding > cert/key or is the certification intended to say the sending machine is who it says it is > (thereby needing only one cert) They can share one certificate. https://www.postgresql.org/docs/current/auth-cert.html: When using this authentication method, the server will require that the client provide a valid, trusted certificate. No password prompt will be sent to the client. The cn (Common Name) attribute of the certificate will be compared to the requested database user name, and if they match the login will be allowed. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
On 2/15/21 8:23 AM, Laurenz Albe wrote: > On Sat, 2021-02-13 at 09:57 -0700, Rob Sargent wrote: >> I’m confused, as usual, about using a cert in a connection string. I wish to connect form a >> “middle ware” piece to PG on be half of various clients. Does each client need a corresponding >> cert/key or is the certification intended to say the sending machine is who it says it is >> (thereby needing only one cert) > > They can share one certificate. > > https://www.postgresql.org/docs/current/auth-cert.html: > > When using this authentication method, the server will require that the client provide a valid, > trusted certificate. No password prompt will be sent to the client. The cn (Common Name) > attribute of the certificate will be compared to the requested database user name, and if they > match the login will be allowed. > > Yours, > Laurenz Albe > Thank you. Since I wish to make the jdbc connection using the role's login (for search_path, I take it I will make role-specific certs, setting the CN accordingly. (I do know which role I need for each connection request and can set the dbname as well).