September 26, 2024: PostgreSQL 17 Released!
Supported Versions: Current (17) / 16 / 15 / 14 / 13 / 12
Development Versions: devel
Unsupported versions: 11 / 10 / 9.6 / 9.5 / 9.4 / 9.3 / 9.2 / 9.1 / 9.0 / 8.4 / 8.3 / 8.2 / 8.1 / 8.0
This documentation is for an unsupported version of PostgreSQL.
You may want to view the same page for the current version, or one of the other supported versions listed above instead.

30.16. SSL Support

PostgreSQL has native support for using SSL connections to encrypt client/server communications for increased security. See Section 17.8 for details about the server-side SSL functionality.

libpq reads the system-wide OpenSSL configuration file. By default, this file is named openssl.cnf and is located in the directory reported by openssl version -d. This default can be overridden by setting environment variable OPENSSL_CONF to the name of the desired configuration file.

To verify the server certificate is trustworthy, place certificates of the certificate authorities (CA) you trust in the file ~/.postgresql/root.crt in the user's home directory. (On Microsoft Windows the file is named %APPDATA%\postgresql\root.crt.) libpq will then verify that the server's certificate is signed by one of the trusted certificate authorities. The SSL connection will fail if the server does not present a trusted certificate. Certificate Revocation List (CRL) entries are also checked if the file ~/.postgresql/root.crl exists (%APPDATA%\postgresql\root.crl on Microsoft Windows).

If the server requests a trusted client certificate, libpq will send the certificate stored in file ~/.postgresql/postgresql.crt in the user's home directory. The certificate must be signed by one of the certificate authorities (CA) trusted by the server. A matching private key file ~/.postgresql/postgresql.key must also be present, unless the secret key for the certificate is stored in a hardware token, as specified by PGSSLKEY. (On Microsoft Windows these files are named %APPDATA%\postgresql\postgresql.crt and %APPDATA%\postgresql\postgresql.key.) The private key file must not be world-readable.

If the environment variable PGSSLKEY is set, its value should consist of a colon-separated engine name and key identifier. In this case, libpq will load the specified engine, i.e. the OpenSSL module which supports special hardware, and reference the key with the specified identifier. Identifiers are engine-specific. Typically, cryptography hardware tokens do not reveal secret keys to the application. Instead, applications delegate all cryptography operations which require the secret key to the hardware token.

If you are using SSL inside your application (in addition to inside libpq), you can use PQinitSSL(int) to tell libpq that the SSL library has already been initialized by your application. See http://h71000.www7.hp.com/doc/83final/BA554_90007/ch04.html for details on the SSL API.

Table 30-1. Libpq/Client SSL File Usage

File Contents Effect
~/.postgresql/postgresql.crt client certificate requested by server
~/.postgresql/postgresql.key client private key proves client certificate sent by owner; does not indicate certificate owner is trustworthy
~/.postgresql/root.crt trusted certificate authorities checks server certificate is signed by a trusted certificate authority
~/.postgresql/root.crl certificates revoked by certificate authorities server certificate must not be on this list