Generate or Provide Your Own Self-Signed Certificate with OpenSSL

Localhost connections to the PostgreSQL database do not use TLS. To activate TLS, you can generate your own self-signed certificate with OpenSSL or provide your own certificate.

To generate a self-signed certificate with OpenSSL, run the following commands:

openssl req -new -text -out cert.req
 openssl rsa -in privkey.pem -out cert.pem
 openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert

To provide your own certificate, complete the following steps:
- Modify the ownership of the CAcerts.crt file to postgres.
- Edit the postgresql.conf file to include the directive ssl_ca_file = 'CAcerts.crt.
  If you are using a certificate with a CA chain, you must add a CAcerts.crt file containing the intermediate and root CA certificates to the same directory.