7.1 Ensure SSL Certificates are Configured For Replication - ssl cert file

Information

Creating and managing SSL certificates on the PRIMARY and STANDBY host(s).
Rationale:
Secure Sockets Layer (SSL) certificates enable encrypted communications between the PRIMARY and STANDBY hosts. SSL certificates can also be used to authenticate the identity of the host. The use of SSL certificates mitigates against sniffing of what would otherwise be sensitive information that's being transmitted in the clear.

Solution

Running a server with ssl=on is not possible until both a server certificate and key have been created, installed in the correct location, and are set with the correct permissions.
Although generating certificates signed by a Certificate Authority, CA is ideal, one can use self-signed certificates too.
Use the following example as a starting point to generate a self-signed certificate, the script is executed on the server in question. Note that the value of the SUBJ variable contains a carriage return to allow for formatting - the entire value should appear on a single line in the script.
set -e
state='Washington'
city='Seattle'
organization='My Company'
org_unit='My department'
cn=$(hostname -f)
email='[email protected]'
SUBJ='/C=US/ST=$state/L=$city/O=$organization/
OU=$org_unit/CN=$cn/emailAddress=$email'
DAYS=3650
if [ -e '$PGDATA' ]; then
KEY='$PGDATA/server.key'
CRT='$PGDATA/server.crt'
else
KEY='server.key'
CRT='server.crt'
fi
openssl req \
-nodes \
-x509 \
-newkey rsa:2048 \
-keyout $KEY \
-out $CRT \
-days $DAYS \
-subj '$SUBJ'
chmod 600 $KEY
chmod 664 $CRT
echo 'DONE'

See Also

https://workbench.cisecurity.org/files/2234

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14.2, CSCv7|14.4

Plugin: PostgreSQLDB

Control ID: 21e31f0dda2abb2f8b63f2ed7aae3f1ea01bb250a55a6758e41d3d591a11f4df