Encrypted Communication and Local CA
Encrypted communication solves three problems:
- Eavesdropping: prevent plaintext traffic sniffing
- Tampering: prevent MITM modification
- Impersonation: prevent fake servers/clients
Pigsty uses a local CA + TLS to provide a unified trust root for databases and infrastructure components.
Role of the Local CA
Pigsty generates a self-signed CA on the admin node by default:
files/pki/ca/ca.key # CA private key (must be protected)
files/pki/ca/ca.crt # CA root certificate (distributable)
Default values in source:
ca_create: true: auto-generate if CA not found.ca_cn: pigsty-ca: CA certificate CN fixed topigsty-ca.- Root cert validity about 100 years (self-signed).
- Server/client cert validity
cert_validity: 7300d(20 years).
Certificate Coverage
The local CA issues certs for multiple components with a unified trust chain:
| Component | Purpose | Typical Path |
|---|---|---|
| PostgreSQL / PgBouncer | connection encryption | /pg/cert/ |
| Patroni | API communication | /pg/cert/ |
| etcd | DCS encryption | /etc/etcd/ |
| MinIO | object storage HTTPS | ~minio/.minio/certs/ |
| Nginx | web ingress HTTPS | /etc/nginx/conf.d/cert/ |
Problem solved: different components issuing their own certs create fragmented trust; a unified CA enables one distribution, many uses.
Trust Distribution
Pigsty distributes ca.crt to all nodes and adds it to system trust:
- Cert path:
/etc/pki/ca.crt - EL family:
/etc/pki/ca-trust/source/anchors/ - Debian/Ubuntu:
/usr/local/share/ca-certificates/
This allows system clients to trust Pigsty-issued certificates automatically.
Using an External CA
If you already have an enterprise CA, replace:
files/pki/ca/ca.key
files/pki/ca/ca.crt
Recommended:
ca_create: false
Problem solved: prevents accidental generation of a new self-signed CA and trust chain confusion.
Client Certificate Authentication
Certificate auth can replace or enhance password auth:
- Avoid password phishing or leakage
- Certificates can bind device and account
Pigsty ships cert.yml to issue client certificates:
./cert.yml -e cn=dbuser_dba
./cert.yml -e cn=dbuser_monitor
Generated by default at:
files/pki/misc/<cn>.key
files/pki/misc/<cn>.crt
Key Protection and Rotation
- CA private key is 0600 by default and stored in a 0700 directory.
- If the CA private key leaks, regenerate the CA and re-issue all certs.
- Rotate certificates after major upgrades or key incidents.
Next
- 🔑 Authentication: HBA and certificate auth
- 👤 Access Control: role and privilege model
- ✅ Compliance Checklist: compliance evidence and mapping
Feedback
Was this page helpful?
Thanks for the feedback! Please let us know how we can improve.
Sorry to hear that. Please let us know how we can improve.