Generate an SSL certificate for PostgreSQL server and client
Last modified: March 28, 2025
The guide provides a procedure for generating an SSL certificate for a PostgreSQL server and client, as well as enabling SSL connection to a PostgreSQL database. For testing purposes, a self-signed certificate can be used, while in a production environment, a certificate signed by a Certificate Authority (CA) should be used.
Prerequisite
- Before proceeding, ensure that OpenSSL, a tool for creating SSL certificates, is installed on your machine. To confirm whether OpenSSL is installed, open the Command Prompt and execute the following OpenSSL command:
openssl version -a
If OpenSSL is installed, you will see a version number, a release date, and the directory where the certificate and private keys can be located.
If OpenSSL is not installed, you can download it from the official website.
To enable SSL for your database, you need to create the following files:
- server.key: a private key that will be used to encrypt communication between the server and the client
- server.crt: a server certificate
- root.crt: a trusted root certificate
Step 1: Generate the private key, server and root certificates
1. To generate a private key and a self-signed SSL certificate, open the OpenSSL command prompt and run the following command:
openssl req -new -x509 -days 365 -nodes -out server.crt -keyout server.key
In this command, 365 is the number of days that a self-signed SSL certificate will be valid for. You can change the number of days by modifying the -days parameter.
2. Next, you will be prompted to enter the following parameters:
| Parameter | Description |
|---|---|
| -days | Number of days the current certificate will be valid |
| /C= | Country Note that you should specify two letters for the country, for example, AU for Australia. |
| /ST= | State |
| /L= | Location |
| /O= | Organization |
| /OU= (optional) | Organizational Unit |
| /CN= | Common Name |
| /emailAddress= |
Note
If the certificate is used in a production environment, use your personal data.
2. Since we are creating and signing certificates by ourselves, the server certificate will also be used as a trusted root certificate. Therefore, create a copy of the server certificate as follows:
cp server.crt root.crt
Note
If the server certificate is the only certificate being used, this step is not necessary.
3. To enable SSL for PostgreSQL, copy the server and root certificate and key files and paste them into the PostgreSQL data directory.
Depending on the operating system and installation method of PostgreSQL you used, select the following directory to copy files to.
- On Linux installed with the PostgreSQL package manager: “/etc/ssl/private” directory.
- On Linux installed using the PostgreSQL source code: “data” directory of the PostgreSQL installation folder.
- On Windows installed using the EnterpriseDB installer: “C:\Program Files\PostgreSQL<postgresql_version>\data” directory of the PostgreSQL installation folder.
So, all three required certificates have been created and moved to the PostgreSQL data directory. Now, it is time to restart the PostgreSQL server.
Step 2: Configure PostgreSQL to use SSL
The next step is to configure PostgreSQL server to enable and use SSL.
1. Open the postgresql.conf file located in the PostgreSQL data directory using any text editor.
2. Uncomment the lines that enable SSL and modify them as shown:
ssl = on
ssl_ca_file = 'root.crt'
ssl_cert_file = 'server.crt'
ssl_crl_file = ''
ssl_key_file = 'server.key'
Then, save the file.
3. Modify the client PostgreSQL configuration file. For this, open the pg_hba.conf file located in the PostgreSQL data directory using any text editor.
4. Add the following line to the file:
hostssl all all 0.0.0.0/0 md5 clientcert=1
This line allows SSL connections from any IP address using the md5 authentication method and requires the client to provide a valid SSL certificate.
Then, save the file.
6. Restart the PostgreSQL server to apply the changes.
Now, ensure that SSL has been enabled by opening dbForge Studio for PostgreSQL, clicking New SQL, and executing the following command:
SHOW ssl;
If enabled, ssl will be set to on.
Step 3: Generate an SSL certificate for the client
1. Create a client SSL certificate using the following command:
openssl req -new -nodes -out client.csr -keyout client.key
You will be prompted to enter the following parameters:
Note
The Common Name (CN) must be the same as the database username that you set during the first certificate generation in the server configuration file. In our case, it is all.
| Parameter | Description |
|---|---|
| -days | Number of days the current certificate will be valid |
| /C= | Country Note that you should specify two letters for the country, for example, AU for Australia. |
| /ST= | State |
| /L= | Location |
| /O= | Organization |
| /OU= (optional) | Organizational Unit |
| /CN= | Common Name |
| /emailAddress= |
This command will generate a client certificate signing request (CSR) and a private key.
2. Sign the client certificate using the following command:
openssl x509 -req -in client.csr -CA server.crt -CAkey server.key -CAcreateserial -out client.crt -days 365
This command will sign the client CSR using the server’s SSL certificate and key, and generate a client SSL certificate that is valid for 365 days.
3. Restart the PostgreSQL server.
4. When connecting to the Studio, you need to specify the directory to the created client SSL certificate in Database Connection Properties > Security > Use SSL Protocol:
'%3e%3cpath%20id='thumb_up_2'%20d='M15%2017H5.5V7L11.5%201L12.1667%201.45833C12.4028%201.625%2012.5833%201.83681%2012.7083%202.09375C12.8333%202.35069%2012.8681%202.61806%2012.8125%202.89583L12.7917%203L12%207H17.5C17.9167%207%2018.2708%207.14583%2018.5625%207.4375C18.8542%207.72917%2019%208.08333%2019%208.5V9.6875C19%209.79861%2018.9896%209.89931%2018.9688%209.98958C18.9479%2010.0799%2018.9167%2010.1736%2018.875%2010.2708L16.3944%2016.0875C16.2703%2016.3625%2016.0833%2016.5833%2015.8333%2016.75C15.5833%2016.9167%2015.3056%2017%2015%2017ZM7%2015.5H15L17.5%209.6875V8.5H10.1667L11.1875%203.4375L7%207.625V15.5ZM5.5%207V8.5H2.5V15.5H5.5V17H1V7H5.5Z'%20fill='%2327282C'/%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Yes'%3e%3cpath%20id='thumb_down_2'%20d='M5%203H14.5V13L8.5%2019L7.83333%2018.5417C7.59722%2018.375%207.41667%2018.1632%207.29167%2017.9062C7.16667%2017.6493%207.13194%2017.3819%207.1875%2017.1042L7.20833%2017L8%2013H2.5C2.08333%2013%201.72917%2012.8542%201.4375%2012.5625C1.14583%2012.2708%201%2011.9167%201%2011.5V10.3125C1%2010.2014%201.01042%2010.1007%201.03125%2010.0104C1.05208%209.92014%201.08333%209.82639%201.125%209.72917L3.60417%203.91667C3.71528%203.63889%203.89931%203.41667%204.15625%203.25C4.41319%203.08333%204.69444%203%205%203ZM13%204.5H5L2.5%2010.3125V11.5H9.83333L8.8125%2016.5625L13%2012.375V4.5ZM14.5%2013V11.5H17.5V4.5H14.5V3H19V13H14.5Z'%20fill='%2327282C'/%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
NoWant to find out more?
'%3e%3cpath%20id='Vector'%20d='M4%204V24H24V4H4ZM22%2022H6V9H22V22ZM19%2019H9V18H19V19ZM19%2016H9V15H19V16ZM19%2013H9V12H19V13ZM21%202H2V21H0V0H21V2Z'%20fill='%230071CE'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_676_40052'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Overview
Take a quick tour to learn all about the key benefits delivered by dbForge Studio for PostgreSQL.
All features
Get acquainted with the rich features and capabilities of the tool in less than 5 minutes.
Request a demo
If you consider employing this tool for your business, request a demo to see it in action.
