How to specify a client certificate to psql?

Question

I have a Postgres server with a user dev which requires a client certificate to log in. I'm using the command psql "sslmode=require user=dev host=db.prod", which gives me psql: FATAL: connection requires a valid client certificate.

I know where the certificate is on my server. My question is, how do I specify the client certificate location to psql?

http://www.postgresql.org/docs/current/static/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT — Milen A. Radev, Jan 30 '15 at 12:19

score 18 · Answer 1 · edited Oct 27 '16 at 18:23

18

The end result looks like $>psql "port=5431 host=localhost user=postgres sslcert=./test/client.crt sslkey=./test/client.key sslrootcert=./test/server.crt sslmode=verify-ca"

All the variables are here.

edited Oct 27 '16 at 18:23

chicks

3,639
10
26
36

answered Oct 27 '16 at 15:49

Olivier D

281
2
3

2

if I place root crt in ~/.postgreqsl/ I don't have to provide any key. If I place it somewhere else and provide sslrootcert, suddenly I have to also provide key - do you know how does that work? – Radu Simionescu Sep 11 '18 at 16:58

score 10 · Accepted Answer · answered Feb 02 '15 at 09:43

10

As stated in the documentation linked by @Milen, you can do this by setting the PGSSLCERT and PGSSLKEY environment variables, or by adding sslcert=<cert location> sslkey=<key location> to the connection string.

answered Feb 02 '15 at 09:43

Jorn

441
1
4
13

2

I'll note here that `PGSSLCERT` and `PGSSLKEY` also allow ***paths*** to be specified, so don't `cat` the certificate or key itself into those variables. – Seldom 'Where's Monica' Needy Jun 03 '16 at 21:21

How to specify a client certificate to psql?

2 Answers2