Commit
a445cb92ef5b3a31313ebce30e18cc1d6e0bdecb removed the default file
names for server-side CRL and CA files, but left them in the docs with a
small note. This removes the note and the previous default names to
clarify, as well as changes mentions of the file names to make it
clearer that they are configurable.
Author: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
The default is empty, meaning no CA file is loaded,
and client certificate verification is not performed.
</para>
- <para>
- In previous releases of PostgreSQL, the name of this file was
- hard-coded as <filename>root.crt</filename>.
- </para>
</listitem>
</varlistentry>
file or on the server command line.
The default is empty, meaning no CRL file is loaded.
</para>
- <para>
- In previous releases of PostgreSQL, the name of this file was
- hard-coded as <filename>root.crl</filename>.
- </para>
</listitem>
</varlistentry>
certificate of the signing authority to the <filename>postgresql.crt</>
file, then its parent authority's certificate, and so on up to a certificate
authority, <quote>root</> or <quote>intermediate</>, that is trusted by
- the server, i.e. signed by a certificate in the server's
- <filename>root.crt</filename> file.
+ the server, i.e. signed by a certificate in the server's root CA file
+ (<xref linkend="guc-ssl-ca-file">).
</para>
<para>
<para>
To require the client to supply a trusted certificate, place
certificates of the certificate authorities (<acronym>CA</acronym>s)
- you trust in the file <filename>root.crt</filename> in the data
+ you trust in a file named <filename>root.crt</filename> in the data
directory, set the parameter <xref linkend="guc-ssl-ca-file"> in
<filename>postgresql.conf</filename> to <literal>root.crt</literal>,
and add the authentication option <literal>clientcert=1</literal> to the
<para>
<xref linkend="ssl-file-usage"> summarizes the files that are
relevant to the SSL setup on the server. (The shown file names are default
- or typical names. The locally configured names could be different.)
+ names. The locally configured names could be different.)
</para>
<table id="ssl-file-usage">
</row>
<row>
- <entry><xref linkend="guc-ssl-ca-file"> (<filename>$PGDATA/root.crt</>)</entry>
+ <entry><xref linkend="guc-ssl-ca-file"></entry>
<entry>trusted certificate authorities</entry>
<entry>checks that client certificate is
signed by a trusted certificate authority</entry>
</row>
<row>
- <entry><xref linkend="guc-ssl-crl-file"> (<filename>$PGDATA/root.crl</>)</entry>
+ <entry><xref linkend="guc-ssl-crl-file"></entry>
<entry>certificates revoked by certificate authorities</entry>
<entry>client certificate must not be on this list</entry>
</row>
</para>
<para>
This function is really useful only if you have more than one trusted CA
- certificate in your server's <filename>root.crt</> file, or if this CA
+ certificate in your server's certificate authority file, or if this CA
has issued some intermediate certificate authority certificates.
</para>
</listitem>
projects / postgresql / commitdiff