20.12. Certificate Authentication
This authentication method uses SSL client certificates to perform
authentication. It is therefore only available for SSL connections;
see
Section 18.9.2
for SSL configuration instructions.
When using this authentication method, the server will require that
the client provide a valid, trusted certificate. No password prompt
will be sent to the client. The
cn
(Common Name)
attribute of the certificate
will be compared to the requested database user name, and if they match
the login will be allowed. User name mapping can be used to allow
cn
to be different from the database user name.
The following configuration options are supported for SSL certificate authentication:
-
map
-
Allows for mapping between system and database user names. See Section 20.2 for details.
In a
pg_hba.conf
record specifying certificate
authentication, the authentication option
clientcert
is
assumed to be
1
, and it cannot be turned off since a client
certificate is necessary for this method. What the
cert
method adds to the basic
clientcert
certificate validity test
is a check that the
cn
attribute matches the database
user name.