| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | raf <raf(at)raf(dot)org> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: How to change the TLS certificate/key without restarting the server? |
| Date: | 2019-11-08 00:16:10 |
| Message-ID: | 20191108001610.GA488@momjian.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Thu, Oct 17, 2019 at 04:20:42PM +1100, raf wrote:
> Hi,
>
> https://www.postgresql.org/docs/12/ssl-tcp.html says:
>
> "Using a passphrase also disables the ability to
> change the server's SSL configuration without a
> server restart."
>
> How is key TLS key changed without a server restart?
> Is replacing the server.crt/server.key files enough
> or is there more to it?
>
> And will existing connections continue to use the old
> key until they disconnect?
The Postgres docs say:
https://www.postgresql.org/docs/12/ssl-tcp.html#SSL-SERVER-FILES
The server reads these files at server start and whenever the server
configuration is reloaded. On Windows systems, they are also re-read
whenever a new backend process is spawned for a new client connection.
I actually don't know if existing sessions start using the new
certificate, or just new sessions. This doc sentence suggests even
existing sessions use the new certificate:
If an error in these files is detected at server start, the server will
refuse to start. But if an error is detected during a configuration
reload, the files are ignored and the old SSL configuration continues to
be used.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | pradeep pandey | 2019-11-08 19:59:42 | Help Needed for pgbench with retry option |
| Previous Message | Vasanth Kumar Pediseti | 2019-11-07 22:45:13 | Re: Database consistency check. |