<?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>20.12. Certificate Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="auth-radius.html" title="20.11. RADIUS Authentication" /><link rel="next" href="auth-pam.html" title="20.13. PAM Authentication" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">20.12. Certificate Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="auth-radius.html" title="20.11. RADIUS Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 20. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 11.10 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-pam.html" title="20.13. PAM Authentication">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="AUTH-CERT"><div class="titlepage"><div><div><h2 class="title" style="clear: both">20.12. Certificate Authentication</h2></div></div></div><a id="id-1.6.7.19.2" class="indexterm"></a><p> This authentication method uses SSL client certificates to perform authentication. It is therefore only available for SSL connections. When using this authentication method, the server will require that the client provide a valid, trusted certificate. No password prompt will be sent to the client. The <code class="literal">cn</code> (Common Name) attribute of the certificate will be compared to the requested database user name, and if they match the login will be allowed. User name mapping can be used to allow <code class="literal">cn</code> to be different from the database user name. </p><p> The following configuration options are supported for SSL certificate authentication: </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">map</code></span></dt><dd><p> Allows for mapping between system and database user names. See <a class="xref" href="auth-username-maps.html" title="20.2. User Name Maps">Section 20.2</a> for details. </p></dd></dl></div><p> </p><p> In a <code class="filename">pg_hba.conf</code> record specifying certificate authentication, the authentication option <code class="literal">clientcert</code> is assumed to be <code class="literal">1</code>, and it cannot be turned off since a client certificate is necessary for this method. What the <code class="literal">cert</code> method adds to the basic <code class="literal">clientcert</code> certificate validity test is a check that the <code class="literal">cn</code> attribute matches the database user name. </p></div><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navfooter"><hr></hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="auth-radius.html" title="20.11. RADIUS Authentication">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-pam.html" title="20.13. PAM Authentication">Next</a></td></tr><tr><td width="40%" align="left" valign="top">20.11. RADIUS Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 11.10 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 20.13. PAM Authentication</td></tr></table></div></body></html>