mycerts.sh

#!/bin/bash

set -euxo pipefail

BASEDIR=$(dirname "$0")

mkdir -p ${BASEDIR}/cert && cd ${BASEDIR}/cert
sudo rm -f server-key.pem

# server certificate
openssl req -new -nodes -text -out ca.csr -keyout ca-key.pem -subj "/CN=certificate-authority"
openssl x509 -req -in ca.csr -text -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey ca-key.pem -out ca-cert.pem
openssl req -new -nodes -text -out server.csr -keyout server-key.pem -subj "/CN=pg-server"
openssl x509 -req -in server.csr -text -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem

# client key and certificate:
openssl req -new -nodes -text -out client.csr -keyout client-key.pem -subj "/CN=pg-client"
openssl x509 -req -in client.csr -text -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem

# Set permissions for client
# To simplify the connection, let's use the default names
rm -rf client && mkdir -p client
cp ca-cert.pem client/root.crt
cp client-cert.pem client/postgresql.crt
cp client-key.pem client/postgresql.key

# perms and users for docker
chmod 600 server-key.pem
sudo chown 70:70 server-key.pem
docker stop encodedb || true && docker rm encodedb || true
docker run -d --name encodedb -p 5555:5432 \
-v $PWD/server-cert.pem:/var/lib/postgresql/server-cert.pem:ro \
-v $PWD/server-key.pem:/var/lib/postgresql/server-key.pem:ro \
-v $PWD/ca-cert.pem:/var/lib/postgresql/ca-cert.pem:ro \
postgres:11-alpine \
-c ssl=on \
-c ssl_cert_file=/var/lib/postgresql/server-cert.pem \
-c ssl_key_file=/var/lib/postgresql/server-key.pem \
-c ssl_ca_file=/var/lib/postgresql/ca-cert.pem