Saya menambahkan beberapa kode dari /programming/3313020/write-x509-certificate-into-pem-formatted-string-in-java untuk mengeluarkan sertifikat sebagai PEM, dan menghapus kebutuhan untuk menentukan db, nama pengguna atau kata sandi (mereka tidak diperlukan untuk mendapatkan sertifikat).
Dengan menggunakan ini, saya dapat memverifikasi bahwa restart PostgreSQL sayangnya tampaknya perlu untuk beralih ke sertifikat baru.
Bukan menjadi pengembang Java, langkah-langkah saya untuk membangun dan menjalankan mungkin tidak terlalu bagus, tetapi mereka bekerja, selama Anda dapat menemukan jdbc postgresql
# locate postgresql | grep jar
/path/to/a/lib/postgresql-9.1-901-1.jdbc4.jar <-- this one will do
...
Untuk mengkompilasi:
javac -cp /path/to/a/lib/postgresql-9.1-901-1.jdbc4.jar ./ShowPostgreSQLCert.java
Untuk berlari:
java -cp /path/to/a/lib/postgresql-9.1-901-1.jdbc4.jar:. ShowPostgreSQLCert 127.0.0.1
Output sampel:
Cert 1:
Subject: CN=...
Issuer: CN=...
Not Before: Fri Oct 21 11:14:06 NZDT 2016
Not After: Sun Oct 21 11:24:00 NZDT 2018
-----BEGIN CERTIFICATE-----
MIIHEjCCBfqgAwIBAgIUUbiRZjruNAEo2j1QPqBh6GzcNrwwDQYJKoZIhvcNAQEL
...
IcIXcVQxPzVrpIDT5G6jArVt+ERLEWs2V09iMwY7//CQb0ivpVg=
-----END CERTIFICATE-----
Cert 2:
...
Sumber:
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.sql.Connection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.postgresql.ds.PGSimpleDataSource;
import org.postgresql.ssl.WrappedFactory;
import javax.xml.bind.DatatypeConverter;
import java.security.cert.X509Certificate;
import java.io.StringWriter;
public class ShowPostgreSQLCert {
public static void main(String[] args) throws Throwable {
PGSimpleDataSource ds = new PGSimpleDataSource();
if( args.length != 1 ) {
System.out.println("Not enough arguments.");
System.out.println("Usage: ShowPostgreSQLCert ServerName");
System.exit(1);
}
ds.setServerName( args[0] );
ds.setSsl(true);
ds.setUser( "" );
ds.setDatabaseName( "" );
ds.setPassword( "" );
ds.setSslfactory(DumperFactory.class.getName());
try (Connection c = ds.getConnection()) { }
catch (org.postgresql.util.PSQLException e) {
// Don't actually want to login
}
}
public static class DumperFactory extends WrappedFactory {
public DumperFactory(String arg) throws GeneralSecurityException {
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, new TrustManager[] { new DumperTM() }, null);
_factory = ctx.getSocketFactory();
}
}
public static String certToString(X509Certificate cert) {
StringWriter sw = new StringWriter();
try {
sw.write("-----BEGIN CERTIFICATE-----\n");
sw.write(DatatypeConverter.printBase64Binary(cert.getEncoded()).replaceAll("(.{64})", "$1\n"));
sw.write("\n-----END CERTIFICATE-----\n");
} catch (java.security.cert.CertificateEncodingException e) {
e.printStackTrace();
}
return sw.toString();
}
public static class DumperTM implements X509TrustManager {
public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
public void checkClientTrusted(X509Certificate[] certs, String authType) { }
public void checkServerTrusted(X509Certificate[] certs, String authType) {
for (int i=0; i<certs.length; ++i) {
System.out.println("Cert " + (i+1) + ":");
System.out.println(" Subject: " + certs[i].getSubjectX500Principal().getName());
System.out.println(" Issuer: " + certs[i].getIssuerX500Principal().getName());
System.out.println(" Not Before: " + certs[i].getNotBefore().toString());
System.out.println(" Not After: " + certs[i].getNotAfter().toString());
System.out.println(certToString(certs[i]));
}
}
}
}