[email protected]
17 Nov, 2025
0 Comments
2 Mins Read

Secure PostgreSQL Connections with SSL/TLS

How to Secure PostgreSQL Connections with SSL/TLS

Securing client–server communication is a crucial responsibility for every PostgreSQL DBA. One of the strongest ways to protect your database traffic is by enabling SSL/TLS encryption. SSL ensures that data transferred between PostgreSQL clients and servers is encrypted, tamper-proof, and trusted — an essential practice in any production-grade environment.

For anyone learning postgresql for dba or enrolled in postgresql dba online training, understanding SSL/TLS configuration is a must-have skill.

1. How SSL/TLS Works in PostgreSQL

When SSL/TLS is enabled:

The server presents a certificate to the client.
The client validates the certificate.
Data exchanged between both sides is encrypted.
Optional: Client certificates can be used for mutual authentication.

2. Required SSL Files

PostgreSQL needs the following files (stored in the data directory):

File	Purpose
`server.crt`	Server certificate
`server.key`	Private key (must be 600 permission)
`root.crt`	Certificate Authority (CA)
`client.crt`	Client certificate (optional)
`client.key`	Client key (optional)

3. Enabling SSL in postgresql.conf

Edit the configuration file:

# postgresql.conf
ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file  = 'server.key'
ssl_ca_file   = 'root.crt'
port = 5432

Restart PostgreSQL:

sudo systemctl restart postgresql

4. Update pg_hba.conf for SSL Enforcement

Allow only SSL-encrypted connections:

# TYPE  DATABASE  USER  ADDRESS         METHOD
hostssl all       all   0.0.0.0/0       md5

Reject non-SSL connections:

hostnossl all     all   0.0.0.0/0       reject

Reload config:

sudo systemctl reload postgresql

5. Connect Using SSL From psql

To confirm SSL is active:

psql "host=your-server-ip dbname=test user=postgres sslmode=require"

Check SSL status after logging in:

SHOW ssl;
SHOW ssl_cert_file;
SHOW ssl_key_file;

6. Common sslmode Values

Mode	Description
`disable`	Do not use SSL
`allow`	Use SSL if available
`prefer`	Prefer SSL, fallback to non-SSL
`require`	SSL required but cert not validated
`verify-ca`	Verify CA certificate
`verify-full`	Full validation (hostname + CA)

Conclusion

Implementing SSL/TLS is one of the foundational steps in hardening PostgreSQL. Whether you’re learning through postgresql dba online training or practicing postgresql for dba, mastering secure communication will elevate your DBA skillset significantly.

At Learnomate Technologies, we make sure you not only understand such cutting-edge features but also know how to implement them in real-world projects. Whether you’re a beginner looking to break into the database world or an experienced professional upgrading your skillset—we’ve got your back with the most practical, hands-on training in Oracle technologies.

Want to see how we teach? Head over to our YouTube channel for insights, tutorials, and tech breakdowns: www.youtube.com/@learnomate

To know more about our courses, offerings, and team: Visit our official website: www.learnomate.org

Let’s connect and talk tech! Follow me on LinkedIn for more updates, thoughts, and learning resources: https://www.linkedin.com/in/ankushthavali/

If you want to read more about different technologies, Check out our detailed blog posts here: https://learnomate.org/blogs/

Let’s keep learning, exploring, and growing together. Because staying curious is the first step to staying ahead.

Happy learning!

ANKUSH