Managing SSL certificates v9
PEM uses self-signed SSL certificates:
- To secure requests to the web server (Apache httpd), which provides the user interface and REST API.
- To secure and authenticate the PEM agent connections to the PEM backend database.
PEM uses self-signed SSL certificates for the Apache httpd server. The self-signed SSL certificate and key files for the Apache httpd server are generated during PEM installation.
To use your own SSL certificate for PEM, update the Apache HTTP configuration file
Update these two SSL directives in the PEM VirtualHost section:
SSLCertificateFileis your certificate file, for example,
.keyfile generated when you created the certificate signing request (CSR), for example,
For example, make the following updates:
To increase security, you can replace the httpd self-signed SSL certificates with trusted CA signed certificates in PEM. For more information, see Replacing httpd self-signed SSL certificates.
PEM backend database server and agent connection certificates
By default, PEM implements secured SSL/TLS connections between PEM agents and the backend database. It also acts as its own certificate authority (CA) to generate certificates and keys for the PEM server and agent. The self-signed SSL certificates and keys for the PEM server and agent are generated during PEM installation. These certificates and keys encrypt the connection from agent to server. In addition, PEM agents are authenticated using their certificate rather than a password.
You can replace the PEM self-signed SSL certificates and keys with the trusted CA certificates and keys. For more information, see Trusted CA certificates and keys.
How PEM self-signed SSL certificates work
The PEM server configuration script generates self-signed SSL certificate and key files for the PEM backend database server. The backend database server uses these certificates and keys to authenticate and encrypt the agent connections. Each certificate has an expiry date. Regenerate the certificates when they near expiration. For more information, see Regenerating server self-signed SSL certificates.
The PEM agent connects to the PEM backend database server using the libpq interface, acting as a client of the backend database server. The agent self-signed SSL certificates and keys get generated during agent registration. PEM agent establishes the connection with the PEM backend database server using the self-signed SSL certificate and key files.
Each agent has a unique identifier, and the agent certificates and keys have the corresponding identifier. Each certificate has an expiry date. Regenerate the certificates when they near expiration. For more information, see Regenerating agent self-signed SSL certificates.
If required, you can use the same certificate for all agents rather than one certificate per agent. For more information, see Generate common agent certificate and key pair.
For more information on using the SSL certificates to connect in Postgres, see Securing TCP/IP connections with SSL.
Certificate and key files generation
The PEM server generates the certificates and key files in the data directory of the backend database server:
ca_key.key files are used during the agent registration process to generate the agent's SSL certificates and key files.
root.crt file is a copy of the
ca_certificate.crt file. You use the root certificate for the backend database server by setting the
ssl_ca_file parameter as
root.crt in the
root.crl has the certificate revocation list (CRL) of digital certificates revoked by the issuing CA before their actual or assigned expiration date.
server.crt file is the signed certificate for the PEM server, and the
server.key file is the private key to the certificate. The PEM agent certificates are generated using these server certificate and key files.
PEM self-signed SSL certificate renewal
The PEM agent installed with the PEM server monitors the expiration date of the
ca_certificate.crt file. When the certificate is about to expire, PEM:
- Makes a backup of the existing certificate files
- Creates new certificate files and appends the new CA certificate file to the
root.crtfile on the PEM server
- Creates a job to renew the certificate file of any active agents
- Restarts the PEM server
Generate a common agent certificate and key pair
By creating and using a single Postgres user for all PEM agents rather than one user per agent (the default), you can use the same certificate for all agents.
Create a user, generate an agent certificate and key pair, and use them for all PEM agents.
Create one common agent user in the PEM backend database. Grant the
pem_agentrole to the user.
Generate an agent key:
Generate a CSR for the agent:
-subjis provided as per your requirements.
openssl x509command to sign the CSR and generate an agent certificate:
Change the permissions on the
Use this agent certificate and key pair:
For registering the new PEM agent from the remote host to the PEM server.
a. Copy the agent certificate and key pair to the remote agent host and register the agent:
b. Enable and start the pemagent services:
To replace the agent certificate and key pair with the registered agent.
a. Edit the
agent.cfgfile of the agent host:
b. Restart the pemagent service:
Use certificates and keys signed by trusted CA
Replace the PEM self-signed SSL certificates and keys with certificates and keys signed by a trusted CA.
After obtaining the trusted CA certificates and keys, replace the server and agent certificates and keys.
Replace the self-signed server SSL certificates with the certificates signed by the trusted CA
Back up the old server certificate and key files:
Generate a private key for the server:
Generate a CSR for the server:
-subjis provided as per your requirements. We recommend using the hostname or domain qualified full name of the PEM server host for
Obtain the CA certificate (
trusted_ca.crt) from a trusted CA.
Ask your CA to sign the CSR and generate the server certificate for you.
Verify the details of the new server certificate aren't tampered with and match your provided details:
Use the new certificate obtained from the CA as the
If the trusted CA doesn't provide CRL, disable CRL usage by the server. To disable the CRL usage, comment the
ssl_crl_fileparameter in the
If you accidentally leave a CRL from a previous CA in place and do not comment out
ssl_crl_file, the server will start but authentication will fail with an SSL error message
tlsv1 alert unknown ca. The error doesn't specify that the CRL is the cause, so this can be difficult to debug if encountered out of context.
Copy the new
server.crtfiles to the data directory of the backend database server:
Change the owner and permissions of the new certificates and key files to be the same as the data directory:
Don't restart the PEM server now. If you restart the PEM server, all the registered agents will stop working.
Replace each PEM agent SSL certificates with the trusted CA certificates. For more information, see these instructions.
Restart the PEM server.
- On Linux:
Restarting the backend database server restarts the PEM server.
Replace the self-signed agent SSL certificates with the certificates signed by the trusted CA
Replace the self-signed agent SSL certificates only after replacing the self-signed server certificates
server.key and CA certificate
Use psql to find all the agent identifiers (IDs) needed to replace the SSL certificates:
After identifying the agents that need key files, generate an
agent<ID>.keyfor each agent:
<ID>is the agent identifier.
Generate a CSR for each agent:
-subjis provided as per your requirements. Replace
CNwith an appropriate agent identifier.
If you prefer to use a single certificate for all PEM agents rather than one per agent, create a common Postgres user and supply this username in place of
ID. See Generate a common agent certificate and key pair.
Ask your CA to sign the CSR and generate the agent certificate for you.
Copy the certificate and key files on the respective hosts, where
Change the ownership and permission on the new
Back up the old agent certificate and key file:
Replace each agent's certificate and key file with the newly generated files:
Restart the PEM agent service.
- On Linux:
- On Windows: Use the Services applet to restart the PEM agent. The PEM agent service is named Postgres Enterprise Manager Agent. Select the service name in the Services dialog box, and select Restart the service.
If you experience authentication problems, you can use these tests to validate certificates.
Validate a certificate against the root certificate
To check whether a PEM agent certificate is trusted according to the server's
root.crt, copy both certificates to the same machine. Then execute the following command:
This command returns
agent1.crt: OK on success or an explanatory message on failure.
Make a test connection to the PEM backend database
To verify whether the agent user can connect using a certificate, on the server where the agent is located, execute the following commands as root:
<psql_path>is the full path to the psql executable, for example
<pem_host>is the hostname or IP address of PEM server.
<pem_db_port>is the PEM backend database server port.
<ID>is the ID of the agent you're testing, as defined in the file
If you used the instructions in Generate a common agent certificate and key pair
you must set
PGUSER to the common agent username.
If the connection succeeds, it returns the Postgres version of the database server. Success means that your certificate is valid and the Postgres user is correctly configured.