HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

Why would I download CA certificate when starting a managed Postgres cluster on DigitalOcean?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
managedcertificatewhystartingpostgresdigitaloceanwouldwhendownloadcluster

Problem

I am trying for the first time a Postgres cluster provided as a managed service by DigitalOcean.com.

As part of configuring the new cluster, their web interface gives me a user name, password, port number and such. On that web page is a tiny link saying Download the CA certificate. I assume CA means Certificate Authority.

➥ Why would I use or not use that link to download the certificate?

When I click the link, I end up with a file on my machine named ca-certificate.crt. How would I use this file?

Solution

To elaborate on Laurenz's answer, if someone can intercept your internet traffic intended for Digital Ocean they could set up a malicious PostgreSQL server that you would connect to unwittingly and then they could record your queries, results, and probably even your password.

Using verify-full is a way to make sure the server you are actually connected to has access to a cert (and the corresponding key) which has been issued by the CA to the hostname which you specified for the connection. So unless the man-in-the-middle either compromised the actual CA, or tricked you into installing a malicious CA cert, he can't pull this trick anymore.

Even if you are not particularly concerned about a MITM, you should download the cert (over https!) and install and configure it to be used, as a learning experience if nothing else. You can probably test it by specifying the IP address rather than the hostname in your connection string, and it should be blocked as the IP address is (probably) not in the server's cert.

Context

StackExchange Database Administrators Q#270706, answer score: 5

Revisions (0)

No revisions yet.