您好,登錄后才能下訂單哦!
這篇文章主要介紹“如何設(shè)置CA證書來強化PostgreSQL的安全性”,在日常操作中,相信很多人在如何設(shè)置CA證書來強化PostgreSQL的安全性問題上存在疑惑,小編查閱了各式資料,整理出簡單好用的操作方法,希望對大家解答”如何設(shè)置CA證書來強化PostgreSQL的安全性”的疑惑有所幫助!接下來,請跟著小編一起來學(xué)習(xí)吧!
設(shè)置CA
CA應(yīng)該是一臺離線的處于高度安全環(huán)境中的計算機。
生成CA私鑰
sudo openssl genrsa -des3 -out /etc/ssl/private/trustly-ca.key 2048 sudo chown root:ssl-cert /etc/ssl/private/trustly-ca.key sudo chmod 640 /etc/ssl/private/trustly-ca.key
生成CA證書
sudo openssl req -new -x509 -days 3650 \ -subj '/C=SE/ST=Stockholm/L=Stockholm/O=Trustly/CN=trustly' \ -key /etc/ssl/private/trustly-ca.key \ -out /usr/local/share/ca-certificates/trustly-ca.crt sudo update-ca-certificates
配置PostgreSQL服務(wù)器
生成PostgreSQL服務(wù)器私鑰
# Remove default snakeoil certs sudo rm /var/lib/postgresql/9.1/main/server.key sudo rm /var/lib/postgresql/9.1/main/server.crt # Enter a passphrase sudo -u postgres openssl genrsa -des3 -out /var/lib/postgresql/9.1/main/server.key 2048 # Remove the passphrase sudo -u postgres openssl rsa -in /var/lib/postgresql/9.1/main/server.key -out /var/lib/postgresql/9.1/main/server.key sudo -u postgres chmod 400 /var/lib/postgresql/9.1/main/server.key
生成PostgreSQL服務(wù)器證書簽署請求(CSR)
sudo -u postgres openssl req -new -nodes -key /var/lib/postgresql/9.1/main/server.key -days 3650 -out /tmp/server.csr -subj '/C=SE/ST=Stockholm/L=Stockholm/O=Trustly/CN=postgres'
用CA私鑰簽署PostgreSQL服務(wù)器證書請求
sudo openssl req -x509 \ -key /etc/ssl/private/trustly-ca.key \ -in /tmp/server.csr \ -out /var/lib/postgresql/9.1/main/server.crt sudo chown postgres:postgres /var/lib/postgresql/9.1/main/server.crt
創(chuàng)建根(root)證書=PostgreSQL服務(wù)器證書+CA證書
sudo -u postgres sh -c 'cat /var/lib/postgresql/9.1/main/server.crt /etc/ssl/certs/trustly-ca.pem > /var/lib/postgresql/9.1/main/root.crt' sudo cp /var/lib/postgresql/9.1/main/root.crt /usr/local/share/ca-certificates/trustly-postgresql.crt sudo update-ca-certificates
授權(quán)訪問
CREATE GROUP sslcertusers; ALTER GROUP sslcertusers ADD USER joel; # /etc/postgresql/9.1/main/pg_hba.conf: hostssl nameofdatabase +sslcertusers 192.168.1.0/24 cert clientcert=1
重啟PostgreSQL
sudo service postgresql restart
PostgreSQL客戶端設(shè)置
從PostgreSQL服務(wù)器上復(fù)制根證書
mkdir ~/.postgresql cp /etc/ssl/certs/trustly-postgresql.pem ~/.postgresql/root.crt
生成PostgreSQL客戶端私鑰
openssl genrsa -des3 -out ~/.postgresql/postgresql.key 1024 # If this is a server, remove the passphrase: openssl rsa -in ~/.postgresql/postgresql.key -out ~/.postgresql/postgresql.key
生成PostgreSQL客戶端證書簽署請求并簽署
# Replace "joel" with username: openssl req -new -key ~/.postgresql/postgresql.key -out ~/.postgresql/postgresql.csr -subj '/C=SE/ST=Stockholm/L=Stockholm/O=Trustly/CN=joel' sudo openssl x509 -req -in ~/.postgresql/postgresql.csr -CA /etc/ssl/certs/trustly-ca.pem -CAkey /etc/ssl/private/trustly-ca.key -out ~/.postgresql/postgresql.crt -CAcreateserial sudo chown joel:joel -R ~/.postgresql sudo chmod 400 -R ~/.postgresql/postgresql.key
到此,關(guān)于“如何設(shè)置CA證書來強化PostgreSQL的安全性”的學(xué)習(xí)就結(jié)束了,希望能夠解決大家的疑惑。理論與實踐的搭配能更好的幫助大家學(xué)習(xí),快去試試吧!若想繼續(xù)學(xué)習(xí)更多相關(guān)知識,請繼續(xù)關(guān)注億速云網(wǎng)站,小編會繼續(xù)努力為大家?guī)砀鄬嵱玫奈恼拢?/p>
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點不代表本網(wǎng)站立場,如果涉及侵權(quán)請聯(lián)系站長郵箱:is@yisu.com進行舉報,并提供相關(guān)證據(jù),一經(jīng)查實,將立刻刪除涉嫌侵權(quán)內(nèi)容。