https://learn.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security From the above Microsoft URL , i can see that Azure PostgreSQL supports having an SSL certificate , in connection string. Eg: psql "sslmode=verify-full sslrootcert=BaltimoreCyberTrustRoot.crt host=mydemoserver.postgres.database.azure.com dbname=postgres user=myusern@mydemoserver" Instead of the sslrootcert = BaltimoreCyberTrustRoot.crt , can i use a different certificate or configure the PaaS service of Azure PostgreSQL to use other cert , like for example abc.crt , that is sslrootcert=abc.crt Please help.

Hi @MS Techie , welcome to Microsoft Q&A forum. As of now it is not permitted to use any certificates other than the one specified in the mentioned documents. Below is the details from the doc: "In some cases, applications use a local certificate file generated from a trusted Certificate Authority (CA) certificate file to connect securely. Currently customers can only use the predefined certificate to connect to an Azure Database for PostgreSQL server, which is located here. However, Certificate Authority (CA) Browser forum recently published reports of multiple certificates issued by CA vendors to be non-compliant. As per the industry’s compliance requirements, CA vendors began revoking CA certificates for non-compliant CAs, requiring servers to use certificates issued by compliant CAs, and signed by CA certificates from those compliant CAs. Since Azure Database for PostgreSQL currently uses one of these non-compliant certificates, which client applications use to validate their SSL connections, we need to ensure that appropriate actions are taken (described below) to minimize the potential impact to your PostgreSQL servers. The new certificate will be used starting October 26, 2020 (10/26/2020). If you use either CA validation or full validation of the server certificate when connecting from a PostgreSQL client (sslmode=verify-ca or sslmode=verify-full), you need to update your application configuration before October 26, 2020 (10/26/2020). More details on: https://learn.microsoft.com/en-us/azure/postgresql/concepts-certificate-rotation Please let me know if that answers your query. ---------- If an answer is helpful, please "Accept answer" or "Up-Vote" for the same which might be beneficial to other community members reading this thread.

Does the PaaS offering from Azure , that is Azure PostgreSQL support custom certificate?

Accepted answer

Anurag Sharma 17,606 Reputation points

2020-09-18T08:20:03.083+00:00

Hi @MS Techie , welcome to Microsoft Q&A forum.

As of now it is not permitted to use any certificates other than the one specified in the mentioned documents. Below is the details from the doc:

"In some cases, applications use a local certificate file generated from a trusted Certificate Authority (CA) certificate file to connect securely. Currently customers can only use the predefined certificate to connect to an Azure Database for PostgreSQL server, which is located here. However, Certificate Authority (CA) Browser forum recently published reports of multiple certificates issued by CA vendors to be non-compliant.

As per the industry’s compliance requirements, CA vendors began revoking CA certificates for non-compliant CAs, requiring servers to use certificates issued by compliant CAs, and signed by CA certificates from those compliant CAs. Since Azure Database for PostgreSQL currently uses one of these non-compliant certificates, which client applications use to validate their SSL connections, we need to ensure that appropriate actions are taken (described below) to minimize the potential impact to your PostgreSQL servers.

The new certificate will be used starting October 26, 2020 (10/26/2020). If you use either CA validation or full validation of the server certificate when connecting from a PostgreSQL client (sslmode=verify-ca or sslmode=verify-full), you need to update your application configuration before October 26, 2020 (10/26/2020).

More details on: https://learn.microsoft.com/en-us/azure/postgresql/concepts-certificate-rotation

Please let me know if that answers your query.

----------

If an answer is helpful, please "Accept answer" or "Up-Vote" for the same which might be beneficial to other community members reading this thread.
Please sign in to rate this answer.
MS Techie 2,701 Reputation points

2020-09-18T10:07:05.433+00:00

Hi AnuragSharma,

Thanks a lot your reply.

So that means that we cannot use our own certificates , but use only the pre-defined certificates given by Azure PostgreSQL.

Also i saw the below connectionString in Microsoft site , which does not have use password option.

psql "sslmode=verify-full sslrootcert=BaltimoreCyberTrustRoot.crt host=mydemoserver.postgres.database.azure.com dbname=postgres user=myusern@mydemoserver"

1) If we use certificates , then dont we need any password to connect to Azure PostgreSQL ?
2) Also the certificate needs to be installed on client machine , which is trying to connect to Azure PostgreSQL . Please clarify on this point

MS Techie 2,701 Reputation points

2020-09-18T10:17:49.703+00:00

Hi AnuragSharma,

I went through the microsoft link here

https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem
https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem

The above 2 SSL certificates are only used to transport encryption from client to Azure PostgreSQL database.

But i am looking for certificate, which allows to authenticate without specifying username and password.

MS Techie 2,701 Reputation points

2020-09-18T10:31:32.287+00:00

Hi AnuragSharma,

Thanks for your reply.

I think the above SSL certificates are only for transport encryption while connecting from client .

PostgreSQL database support certificate authentication , where in one need not provide username and password in connectionstring.

My question was if the PaaS offering from Azure - Azure PostgreSQL database supports this kind of certificate authentication. (where we dont need to provide username and password in connectionString)

MS Techie 2,701 Reputation points

2020-09-18T17:01:13.423+00:00

The on-premises version of PostgreSQL support certificate authentication .i.e. we dont have to provide a username or password while authenticating to the PostgreSQL database , but the client application needs to have the certificate with those details. Details here

Does the PaaS version of Azure PostgreSQL database support certificate authentication ?

Please help.

Anurag Sharma 17,606 Reputation points

2020-09-18T17:36:34.347+00:00

Hi MSTechie-7364, thanks for replying back with more details. We are checking on this and will get back at the earliest.

MS Techie 2,701 Reputation points

2020-09-21T06:33:13.577+00:00

Thank you.

Looking forward for the reply.

Anurag Sharma 17,606 Reputation points

2020-09-21T07:31:14.257+00:00

Hi @MS Techie , I have looked into this and presently there is nothing available to support certificate authentication on Azure PostgreSQL.

However, I have reached out to internal product team for more details on whether it can be achieved through any means as of now, or do they have any plans to have this feature available in the product in coming days.

I will keep you posted on this as soon as receive a reply.

MS Techie 2,701 Reputation points

2020-09-21T12:17:10.423+00:00

Thank you @AnuragSharma .

I will wait for your reply.

As of now , i understand that the PaaS offering of Azure Postgres does not support certificate authentication .

So i may have to go for IaaS offering from Azure where Postgres is installed linux flavors like Ubuntu and Centos., in order to achieve certificate authentication.

MS Techie 2,701 Reputation points

2020-09-23T11:17:06.33+00:00

Thank you @AnuragSharma-MSFT .

Looking forward for your reply on certificate authentication option

Anurag Sharma 17,606 Reputation points

2020-09-23T11:35:16.973+00:00

Hi @MS Techie , thanks for your patience and apologies for the inconvenience caused to you.

I have again sent a follow up mail to product team on this and waiting for their reply. Mostly it should be by tomorrow we can hear back from them.

MS Techie 2,701 Reputation points

2020-09-23T16:56:14.2+00:00

Hi @AnuragSharma-MSFT

I came across an article which enables us to perform certifcate based authentication with Azure Active Directory .

https://learn.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-get-started#requirements

The use case in the above article targets mainly Andoid, IOS and windows devices that can use certificate authentication while using to Microsoft Outlook and Exchange Active Sync clients , that mainly read mail ... so that they dont have to enter username and password

Can this concept be applied for enabling CERTIFICATE Authentication of PostgreSQL for the PaaS component - Azure Database for PostgreSQL

Please advice

Anurag Sharma 17,606 Reputation points

2020-09-25T05:01:38.417+00:00

Hi @MS Techie , thanks for the information provided. The link that you have mentioned looks like working mostly for Microsoft Office application. However I could find some helpful documents which talks about using certificate or token bases authentication on Azure PostgreSQL Databases. You can refer to below links for more details and let me know if this helps:

https://learn.microsoft.com/en-us/azure/postgresql/concepts-aad-authentication#:~:text=Microsoft%20Azure%20Active%20Directory%20(Azure,location%2C%20which%20simplifies%20permission%20management.

https://learn.microsoft.com/en-us/azure/postgresql/howto-configure-sign-in-aad-authentication

Could you please once take a look into these and let us know your feedback on these?

MS Techie 2,701 Reputation points

2020-09-25T13:51:24.573+00:00

Hi @AnuragSharma-MSFT ,

Have you received any reply from the product team about alternatives or different ways to achieve certificate authentication for the PaaS option of Azure PostgreSQL

Please help.

Anurag Sharma 17,606 Reputation points

2020-09-28T04:04:48.797+00:00

Hi @MS Techie , Thanks for your patience. We have yet to hear from the Product team and I already have sent another reminder to them over the weekend.

Meanwhile, were you able to look into the links I provided in last reply? Please check them once and let us know if they are useful and we can discuss more on the same grounds to see if it meets your requirements till we hear back from product team.

MS Techie 2,701 Reputation points

2020-09-28T05:48:22.367+00:00

Thank you @AnuragSharma-MSFT

I went through the links you had shared, which talks about using Azure AD authentication with PostgreSQL . i was aware of this already. Actually i was specifically looking for certificate authentication only. i got to understand from your earlier answers that we cannot use certificate authentication with PaaS offering from Azure for PostgreSQL.. Hence i was looking for other option that the microsoft product team could give

Anurag Sharma 17,606 Reputation points

2020-09-29T17:27:56.457+00:00

Hi @MS Techie , we received the response back from product group and unfortunately the feedback says there is no way to authenticate user without password. Only other way is the one you mentioned already using Azure Active Directory Authentication with PostgreSQL.

I apologize for the inconvenience caused to you and really appreciate you providing all the feedback as an end user.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Does the PaaS offering from Azure , that is Azure PostgreSQL support custom certificate?

0 additional answers

Your answer