{"id":42937077,"url":"https://github.com/quasoft/pgcrtauth","last_synced_at":"2026-01-30T19:35:55.337Z","repository":{"id":57660728,"uuid":"141833849","full_name":"quasoft/pgcrtauth","owner":"quasoft","description":"Simple tool for generation of self-signed certificates for PostgreSQL servers","archived":false,"fork":false,"pushed_at":"2018-07-27T17:23:42.000Z","size":14,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-11-15T07:37:48.221Z","etag":null,"topics":["certificate-authority","certificates","postgresql","self-signed","ssl"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/quasoft.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-07-21T17:42:13.000Z","updated_at":"2018-07-27T17:23:44.000Z","dependencies_parsed_at":"2022-09-26T20:31:03.823Z","dependency_job_id":null,"html_url":"https://github.com/quasoft/pgcrtauth","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/quasoft/pgcrtauth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quasoft%2Fpgcrtauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quasoft%2Fpgcrtauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quasoft%2Fpgcrtauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quasoft%2Fpgcrtauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/quasoft","download_url":"https://codeload.github.com/quasoft/pgcrtauth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quasoft%2Fpgcrtauth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28918222,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T19:10:10.838Z","status":"ssl_error","status_checked_at":"2026-01-30T19:06:40.573Z","response_time":66,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate-authority","certificates","postgresql","self-signed","ssl"],"created_at":"2026-01-30T19:35:54.569Z","updated_at":"2026-01-30T19:35:55.331Z","avatar_url":"https://github.com/quasoft.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pgcrtauth\n\npgcrtauth is a simple cross-platform tool for generation of self-signed certificates for standalone and clustered PostgreSQL servers.\n\nThe tool comes handy when you need a self-signed server certificate for tests or development and don't have openssl around.\n\n## How to use\n\nThe following two uses cases are currently supported:\n\n1. Generate a self-signed certificate for a single standalone PostgreSQL server:\n      \n       pgcrtauth generate --hostnames \"srv1.company.local,10.0.0.1\" \\\n           --organization \"My Company\" --common-name \"srv1.company.local\" \\\n           --out-dir /certs/srv1/ --self-signed\n\n   or the same command with shorthand flags:\n\n       pgcrtauth generate -H \"srv1.domain.local,10.0.0.1\" \\\n           -O \"My Company\" -C \"srv1.domain.local\" -o /certs/srv1/ -s\n\n2. Create certificates for servers in a PostgreSQL cluster that are signed by a common certificate authority (CA):\n\n   * The following command creates the `root.crt` and `root.key` files in an empty folder - yours CA:\n      \n          pgcrtauth init --organization \"My Company\" --common-name \"ClusterCA\" --ca-dir /certs/ca/\n\n   * Then generate a certificate signed by \"ClusterCA\" for each server in the cluster:\n\n          pgcrtauth generate -H \"srv1.domain.local\" -O \"My Company\" -C \"srv1.domain.local\" \\\n              -o /certs/srv1/ --ca-dir /certs/ca/\n\n   * That's it. You can copy the `/certs/ca/root.crt`, `/certs/srv1/server.crt` and `/certs/srv1/server.key` files to the server data directory.\n   \n      *The tool automatically restricts access to .key files by executing `chmod og-rwe server.key` or `icacls server.key /reset \u0026\u0026 icacls server.key /inheritance:r /grant:r \"CREATOR OWNER:F\"`. Make sure to do the same after you transfer the files to the PostgreSQL server*.\n\n### Warning\n\nIf you intend to use this tool for anything more than tests and development:\n\n- Use the tool only on a secure offline machine;\n- Restrict access to yours `/certs/ca/` directory;\n- Keep the `root.key` file only on this offline machine. It's not needed by PostgreSQL;\n- Transfer the server certificates (`server.crt` and `server.key`) to the servers via an offline method.\n\n### TODO:\n\nPlanned features anyone can contribute to:\n\n- [ ] Always password protect the CA key\n- [ ] Support generation of client certificates\n- [ ] Add a request subcommand for creation of certificate signing request for external CA.\n- [ ] Warn user not to copy root.key to the server after a new CA has been created\n- [ ] Warn if creating or using CA on a computer that is running an instance of PostgreSQL\n- [ ] Allow customization of commonly used parameters like (eg. Country, State, City, Organization Unit and Email Address).\n- [ ] Use Windows API to set file ACL instead of invoking the icacls command","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquasoft%2Fpgcrtauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fquasoft%2Fpgcrtauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquasoft%2Fpgcrtauth/lists"}