Localhost connections to the PostgreSQL database do not use TLS. To enable TLS, you can generate your own self-signed certificate with OpenSSL or provide your own certificate.

About this task

  • To generate a self-signed certificate with OpenSSL, run the following commands:

    openssl req -new -text -out cert.req
     openssl rsa -in privkey.pem -out cert.pem
     openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
  • To provide your own certificate, complete the following steps:

    • Modify the ownership of the CAcerts.crt file to postgres.

    • Edit the postgresql.conf file to include the directive ssl_ca_file = 'CAcerts.crt.

      If you are using a certificate with a CA chain, you must add a CAcerts.crt file containing the intermediate and root CA certificates to the same directory.