[英]How to create client certificate for multiple users for Postgresql DB with OpenSSL?
In my database environment (Postgresql 13 on Oracle Linux 8), i can create a client certificate for specific postgresql db user as below:在我的数据库环境(Oracle Linux 8 上的 Postgresql 13)中,我可以为特定的 postgresql db 用户创建一个客户端证书,如下所示:
openssl req -new -nodes -out client.csr \
-keyout keys/client.key -subj "/CN={db_username}"
Though it's working for one username, i wonder if multiple usernames or wildcards can be used.虽然它适用于一个用户名,但我想知道是否可以使用多个用户名或通配符。 For example, can it be used like :
例如,它可以像这样使用:
CN=user1,user2,user3
or something similar?或类似的东西?
No, but as the documentation describes, you can use a map in the pg_ident.conf
file:不,但正如文档所述,您可以在
pg_ident.conf
文件中使用映射:
User name mapping can be used to allow
cn
to be different from the database user name.用户名映射可用于允许
cn
与数据库用户名不同。
So you could use one certificate (with a single name) for several database users.因此,您可以为多个数据库用户使用一个证书(具有单一名称)。
As an example, the line in pg_hba.conf
could look like例如,
pg_hba.conf
的行可能看起来像
# TYPE DATABASE USER ADDRESS METHOD
host mydb user1 12.34.56.78/32 cert map=mymap
host mydb user2 12.34.56.78/32 cert map=mymap
host mydb user3 12.34.56.78/32 cert map=mymap
Then pg_ident.conf
might look like然后
pg_ident.conf
可能看起来像
# MAPNAME SYSTEM-USERNAME PG-USERNAME
mymap certuser user1
mymap certuser user2
mymap certuser user3
Here, certuser
is the common name in the certificate.此处,
certuser
是证书中的通用名称。
After giving it lots of tries, i found out that my connection doesn't care about the CN at my client certificate if i configure pg_hba.conf like this:经过多次尝试后,我发现如果我像这样配置pg_hba.conf ,我的连接并不关心客户端证书中的 CN:
hostssl all all 192.168.1.34/32 scram-sha-256 clientcert=1
This way, connection can be established as long as required key and certificates are available.这样,只要所需的密钥和证书可用,就可以建立连接。 In addition, passwords will be required so that makes the connection secure.
此外,还需要密码以确保连接安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.