Question

How can I obtain the Client certificate and Client private key for the managed PostgreSQL

Posted March 26, 2020 384 views
PostgreSQL

How can I obtain the Client certificate and Client private key for the managed PostgreSQL? Google Data Studio require both Clieny cert and pk in addition to the server certificate.

I’m almost giving up. I might just go back to droplet and set my nown postgres there

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

I can only guess you need to create a key, a signing request, and finally a certificate, in that order. The typical way to do that is with OpenSSL:

$ openssl genpkey ... -out <key-file>
$ openssl req -in <key-file> ... -out <sing-req-file>
$ openssl x509 -in <sign-req-file> ... -out <cert-file>

There are algorithm types of keys of which RSA and elliptic curves like prime-256 and prime-512, which are not ‘safe curves’. There is a webpage listing 'safe curves’. Implementation of safe curves is not common, but OpenSSH (not L but H) has Edward 25519. Note that the key file has both the public and private keys. A file with just the public key can be made and can be publicized freely, but not the file with the private key (really the key pair).

The best free documentation on using OpenSSL is OpenSSL Cookbook by Ivan Ristić. The instructions for acme-tiny are helpful as a use case using OpenSSL. I am not sure what your use case is. I have only gotten a domain certificate using the ACME protocol. I have never validated the client to the server. The server will need something to identify the client. The server might have a key with which to sign the client certificate. There must be some documentation out there to explain it for your use case. The Cookbook demonstrates how to issue a client certificate, but your use case could require adjustment. It’s a complex subject that is not so well documented. The PostgreSQL manual is awesome, which is why PostgreSQL is my favorite database.

You could just go with user-password and leave this for later?

Going by https://www.postgresql.org/docs/current/libpq-ssl.html, it looks to me like you want to read the Cookbook if you want to grind through this. Good luck!

edited by AHA

Is this truly the only way?

Why is there a key selection on the droplets but not on the managed db? I have to make a new key for every db? This is crazy talk here. I have lots of my own droplets and db’s and I use one key for them all because having multiple ones is a hassle.

I might just spin up my own droplet as well. Yeesh!

Submit an Answer