Edit
Report

PostgreSQL TLS configuration reference

Uses: Kong Gateway
Related Documentation
All Gateway Documentation
Tags
#database #tls

TLS (Transport Layer Security) provides a secure communication channel between Kong Gateway and PostgreSQL. When configured correctly, TLS ensures encrypted traffic, verifies authenticity, and helps maintain data integrity.

Mutual TLS (mTLS) enhances this by requiring both the client Kong Gateway and the PostgreSQL server to authenticate each other. This approach further reduces the risk of unauthorized access by validating the identities at both ends of the connection.

Using TLS and mTLS for database communication introduces benefits such as:

  • Encryption: Protects data in transit from being intercepted.
  • Authentication: Verifies both the server and client identities.
  • Integrity: Prevents tampering during transmission.

However, enabling TLS or mTLS does add operational complexity. Proper configuration requires valid certificates, matching protocol versions, and secure file permissions.

Kong Gateway supports TLS and mTLS when connecting to PostgreSQL and provides configuration options to control verification depth, trusted certificate authorities, and client certificate authentication.

PostgreSQL must be compiled or installed with TLS support. In mTLS setups, the server must also validate client certificates, typically by matching certificate metadata with database access rules.

PostgreSQL requirements

Requirement

Description

Required For
ssl = on Enables SSL/TLS connections in PostgreSQL. All TLS setups
ssl_cert_file Path to the server certificate file (.crt). TLS and mTLS
ssl_key_file Path to the server private key file (.key). TLS and mTLS
ssl_ca_file Path to the trusted Certificate Authority chain file. mTLS
ssl_crl_file Path to the certificate revocation list (CRL). Optional validation in mTLS
pg_ssl = on Enables SSL support for PostgreSQL connections in Kong Gateway. All TLS setups
pg_ssl_required = on Forces Kong Gateway to require SSL when connecting to PostgreSQL. All TLS setups
pg_ssl_verify = on Enables verification of the server certificate. TLS and mTLS
pg_ssl_version TLS protocol version to use (e.g., tlsv1_2). TLS and mTLS
lua_ssl_trusted_certificate Path to trusted CA certificates used for verification. TLS and mTLS
lua_ssl_verify_depth Verification depth for certificate chains. TLS and mTLS
pg_ssl_cert Path to client certificate file. mTLS
pg_ssl_cert_key Path to client private key file. mTLS

Certificates

Certificates can be generated with OpenSSL. The most secure setups use an intermediate CA chain.

Self-signed certificates can be used for testing but are not recommended for production.

Intermediate Certificate Chain

In a secure TLS setup, certificate authorities may include an intermediate CA between the root CA and the server or client certificate. This chain strengthens trust and is a common production setup.

To configure:

  • Generate a root CA certificate to serve as the ultimate trust anchor.
  • Issue an intermediate certificate signed by the root CA.
  • Use the intermediate CA to sign server and client certificates.
  • Assemble the certificate chain by appending the intermediate and root certificates in order.
  • Ensure PostgreSQL and Kong Gateway are configured to trust the appropriate CA certificates.

This approach enhances security by keeping the root CA offline and delegating trust to intermediates.

Root-Only Certificate Chain

In this simpler setup, the root CA directly signs both server and client certificates. This reduces complexity but can increase risk.

To configure:

  • Generate a root CA certificate and private key.
  • Use the root CA to sign the server and client certificates.
  • Trust is established by distributing the root CA certificate to both PostgreSQL and Kong Gateway.

This setup is easier but lacks the layered security of intermediate chains.

Self-Signed Certificates

Self-signed certificates are useful for local testing or development, but should not be used in production.

To configure:

  • Generate a self-signed server certificate and private key.
  • Generate a self-signed client certificate and private key.
  • Configure PostgreSQL and Kong Gateway to trust these certificates directly.

Self-signed certificates do not chain to a CA, so each system must explicitly trust the individual certs.

FAQs

What should I do if I see could not accept SSL connection: wrong version number?

This usually means the client and server have incompatible TLS versions. Verify the PostgreSQL-supported versions using pg_config --configure and set a compatible version (like TLSv1.2 or higher) in the kong.conf using pg_ssl_version.

How do I fix could not load server certificate file errors in PostgreSQL?

Ensure the ssl_cert_file parameter in postgresql.conf points to an existing certificate file. By default, the file should be named server.crt and placed in the data directory.

What does certificate authentication failed for user mean?

This occurs when the common name (CN) of the client certificate does not match the PostgreSQL username. Configure username mapping in pg_ident.conf to resolve the mismatch.

Why does Kong Gateway say connection requires a valid client certificate?

This means PostgreSQL is enforcing mTLS, but Kong Gateway is not presenting a valid certificate. Ensure that pg_ssl_cert and pg_ssl_cert_key are set correctly in kong.conf.

How do I correct private key permission errors in PostgreSQL?

The key file must be owned by the database user and set to 0600, or by root with 0640. Adjust using chmod 0600 or chmod 0640 accordingly.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support