Clarify the usage of SSL Cert in the connection string with custom path

Hi @paulogdm,

Let me explain what each parameter are and how you can get them. Also, there is an issue regarding where you need to place the certificate files https://github.com/prisma/prisma2/issues/1286

1. sslmode=(disable|prefer|require):

   • Disable: do not use TLS.
   • Prefer: prefer TLS if possible, accept plain text connections.
   • Require: require TLS or fail if not possible.
   • Default: prefer

2. sslcert=<PATH>: This is the root certificate used by the database server to sign the client certificate. You need to provide this if the certificate doesn’t exist in the trusted certificate store of your system.

3. sslidentity=<PATH>: This is the SSL identity file in PKCS12 format which you will generate using the Client key and Client certificate. It will basically combine these two files in a single file and secure them via a password(see next parameter). You can create this file using your client key and client certificate by using the following command if you are using openssl:

openssl pkcs12 -export -out client-identity.p12 -inkey client-key.pem -in client-cert.pem

So after getting this file, you basically don’t need the client key and client cert file for connection although you want to keep that around in case you want to regenerate this file.

4.sslpassword=<PASSWORD>: Password that was used to secure the PKCS12 file. The openssl command listed in the last step will ask for a password while creating the PKCS12 file, you will need to provide that same exact password here.

5.sslaccept=(strict|accept_invalid_certs): If set to strict, any missing value in the certificate chain(ie any untrusted certificates) will lead to an error. accept_invalid_certs will bypass this check. Defaults to accept_invalid_certs as most of the database clients prefer to skip this check.

So, in the end, you basically need three things to create an SSL connection:

1. Root CA file
2. PKCS12 client file
3. PKCS12 password

Your connection string will look like the following:

postgres://postgres:<PASSWORD>@<HOST>?sslidentity=client-identity.p12&sslpassword=mypassword&sslcert=rootca.cert

You can add the other parameters if you want.

Let me know if you need a specific clarification here.

Ok, i understand : Certificate identity files are required in both prisma folder and in the folder from which lift is executed

Yes, this is issue that I have mentioned in my above comment, #1286. Right now you need them in both places but we would fix that bug in the coming weeks.

@pantharshit00 Is this information also available in a clean page in our documentation? If not, you should create a new docs issue for this and apply the candidate label, please.

This information is available in the docs: https://github.com/prisma/prisma2/blob/754620fcf105788f09c31a3a2f461852ad432eea/docs/core/connectors/postgresql.md#configuring-an-ssl-connection. Maybe it is not as descriptive as I have written above on how to generate certain things. Also, #1286 makes the process more confusing.

I opened https://github.com/prisma/prisma2/issues/1463 to address this.