Breadcrumbs

Prepare Certificates Required for KMIP Communication

  1. Generate a CSR on the Postgres Linux server.

    1. Change to the home directory of enterprisedb.

    2. Generate a private key using OpenSSL.
      $ openssl genrsa -out client1.key 2048 

    3. Create a Certificate Signing Request (CSR) with the generated private key. Include necessary fields for CSR generation.
      $ openssl req -new -key client1.key -out client1.csr -sha256

      The figure below shows the generation of a private key client1.key and a CSR client1.csr with respective fields includingkmip_client_EDB as Common Name

image-20250711-152227.png
Linux Terminal: CSR generation

  1. Sign the CSR with the ESKM local CA and copy the signed certificate to the Postgres Linux server.
    The CSR now needs to be signed by the local CA.

    1. View the client1.csr file using the cat command cat client1.csr or open it using any text editor.

    2. Select the entire text and copy it to your clipboard.
      Make sure to include the first and last lines (“-----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----").

    3. Log in to the Management Console and go to Security > Certificates & CAs > Local CAs.

    4. Select the CA used by your ESKM (in this case, ESKMLocalCA), and click on Sign Request. The Sign Request window will appear.

      image-20250711-152512.png
      ESKM server: Local CA sign request selection

    5. For certificate purpose, select Client.

    6. Paste the CSR text you copied into the Certificate Request window.

    7. Click Sign Request.

      image-20250711-152712.png
      ESKM server: certificate signing with Local CA

    8. The signed client certificate is displayed. Download the signed client certificate by clicking on Download, and copy it to the Postgres Linux server.

image-20250711-152910.png
ESKM server: signed certificate download

  1. Copy the ESKM local CA to the Postgres Linux server.

    1. ESKM local CA (ESKMLocalCA) can be downloaded from the ESKM management console. Go to Security > Certificates & CAs > Local CAs, select the CA used by the ESKM (in this case, ESKMLocalCA), and click Download.

      image-20250711-153137.png
      ESKM server: Local CA download selection

    2. Copy the downloaded local CA to the Postgres Linux server.

  2. Rename the ESKM local CA to cacert.pem.
    $ cp ESKMLocalCA.crt cacert.pem 

  1. Combine the private key and client certificate and rename to client1.pem.
    The created private key (client1.key) and the signed client certificate (signed.crt) need to be combined and renamed to client1.pem.
    $ cat client1.key signed.crt > client1.pem