How to Replacing httpd self signed SSL certificates with trusted CA signed certificates in Postgres Enterprise Manager

January 20, 2023

1. Stop the httpd service using the below command on the server where your web services (httpd) is configured:


systemctl stop httpd (RHEL 7.x)

/etc/init.d/httpd stop (RHEL 6.x)

2. Change the current directory to ‘/usr/edb/pem/resources’


[root@localhost resources]# cd /usr/edb/pem/resources


You should have the following self signed certificate and its key file:


[root@localhost resources]# ls -ltrh

total 12K

-rw-r--r--. 1 root root 3.7K May 17 11:19

-rw-rw-r--. 1 root root 3.2K May 17 11:19 server-pem.key

-rw-rw-r--. 1 root root 2.2K May 17 11:19 server-pem.crt


3. Take the backup of the certificate and the key before we replace them with trusted CA certificates.


4. After taking the backup, remove the certificate and the key file from location “/usr/edb/epm/resources”:


[root@localhost resources]# rm server-pem.*

rm: remove regular file 'server-pem.crt'? y

rm: remove regular file 'server-pem.key'? y


5. Place your trusted CA certificate, Intermediate certificate and the key in the same location as shown below. Please change the permissions to root and chmod 664:


[root@localhost resources]# ls -ltrh

total 16K

-rw-r--r--. 1 root root 3.7K May 17 11:19

-rw-rw-r--. 1 root root 4.0K Jul 18 12:59 GandiStandardSSLCA2.pem

-rw-rw-r--. 1 root root 3.2K Jul 18 12:59

-rw-rw-r--. 1 root root 2.5K Jul 18 12:59


6. You can see that I have “” certificate and “” key file and “GandiStandardSSLCA2.pem” SSL cert chain file. I have made sure to setup the hostname and DNS to so that the flow could work correctly. To check the network connectivity you can use “ping” utility from another server to check if pinging the hostname resolves or not.


ping  —— (This should be done from another server in the network)


7. After placing the certificate, key and chain file, you need to modify following lines from the file “/etc/httpd/conf.d/edb-ssl-pem.conf”:


#   General setup for the virtual host

DocumentRoot "/usr/edb/pem/web"


SSLEngine on

SSLCertificateFile "/usr/edb/pem/resources/"

SSLCertificateKeyFile "/usr/edb/pem/resources/"

SSLCertificateChainFile "/usr/edb/pem/resources/GandiStandardSSLCA2.pem"


8. You also need to modify the “/etc/httpd/conf/httpd.conf” for below parameters:




9. Please start the httpd service using the below command:


systemctl start httpd (CentOS/RHEL 7)

/etc/init.d/httpd24-httpd start (CentOS/RHEL 6)


10. If the httpd service starts successfully, then please verify by opening the web client. I used the following url to verify the certificates and it was not showing as “Not Secure” in the browser address bar. I have added the below screen shot as well:

NOTE: Please make sure that the or whatever is the hostname of the PEM server, the server from which you are opening the web client should resolve it at the network level otherwise the browser will not be able to open the web client.

Share this

Relevant Blogs

More Blogs

Quickstart guide on using pgPool

This guide is intended to get you up and started with a default installation of pgPool in front of a master and streaming replica. There is much more to pgPool...
January 24, 2023

Using auth_method=hba in PgBouncer

PgBouncer is a great tool for improving database performance with connection pooling. I've been using it for many years, since it first became available in 2007. Since then, several improvements...
January 23, 2023