This page explains how to manually generate an agent certificate. This is necessary if you are using a local CA rather than sslutils, or if you are using sslutils but wish to transition to using a common agent certificate.
These instructions may also be useful if you are using an organizational or external CA that requires you to supply a certificate signing request (CSR). In this case, you need to replace steps 3 and 4 with the appropriate steps for your CA.
See Deciding on an SSL model for more detail on these different SSL models.
Generating an agent certificate and key
On the host where the agent will run, generate an agent key:
# Running as root openssl genrsa -out agent.key 4096
Generate a CSR for the agent:
openssl req -new -key agent.key -out agent.csr -subj '/C=<country>/ST=<state>/L=<locality>/O=<organization>/CN=<agent_user>'
Where
-subjis completed appropriately for your organization, and<agent_user>is replaced with the Postgres username that the agent will use to connect to the PEM database.Copy the CSR to host where your CA is located.
On the CA host, use the
openssl x509command to sign the CSR and generate an agent certificate:openssl x509 -req -days 365 -in agent.csr -CA ca_certificate.crt -CAkey ca_key.key -CAcreateserial -out agent.crt
Copy
agent.crtback to the agent host.On the agent host, change the permissions on the
agent.crtandagent.keyfiles:chmod 600 agent.crt agent.key
Configuring the agent to use the new certificate and key
The next step depends on whether this certificate and key are to be used by new agent, or an agent that is already registered.
Register the agent, providing the absolute path to the new certificate and key file. The value of
<agent_user>must match the common name on the certificate and be a Postgres user withpem_agentrole on the PEM backend database.export PEM_SERVER_PASSWORD=edb /usr/edb/pem/agent/bin/pemworker --register-agent \ --pem-server 192.168.99.130 \ --pem-user enterprisedb \ --pem-port 5444 \ --pem-agent-user <agent_user> \ -o agent_ssl_crt=/root/.pem/agent.crt \ -o agent_ssl_key=/root/.pem/agent.key
Enable and start the pemagent services:
systemctl enable pemagent systemctl start pemagent
Edit the
agent_ssl_key, andagent_ssl_crtparameters in theagent.cfgfile of the agent host to provide the absolute paths to the new key and cert respectively. If you are also changing the agent user, editagent_usertoo. It must match the common name on the certificate and be a Postgres user withpem_agentrole on the PEM backend database.agent_user=<agent_user> agent_ssl_key=/<new_location>/agent.key agent_ssl_crt=/<new_location>/agent.crt
Restart the pemagent service:
systemctl restart pemagent