@@ -8397,23 +8397,35 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
83978397 <para>
83988398 If the server attempts to verify the identity of the
83998399 client by requesting the client's leaf certificate,
8400- <application>libpq</application> will send thecertificates stored in
8400+ <application>libpq</application> will send thecertificate(s) stored in
84018401 file <filename>~/.postgresql/postgresql.crt</filename> in the user's home
84028402 directory. The certificates must chain to the root certificate trusted
84038403 by the server. A matching
84048404 private key file <filename>~/.postgresql/postgresql.key</filename> must also
8405- be present. The private
8406- key file must not allow any access to world or group; achieve this by the
8407- command <command>chmod 0600 ~/.postgresql/postgresql.key</command>.
8405+ be present.
84088406 On Microsoft Windows these files are named
84098407 <filename>%APPDATA%\postgresql\postgresql.crt</filename> and
8410- <filename>%APPDATA%\postgresql\postgresql.key</filename>, and there
8411- is no special permissions check since the directory is presumed secure.
8408+ <filename>%APPDATA%\postgresql\postgresql.key</filename>.
84128409 The location of the certificate and key files can be overridden by the
8413- connection parameters <literal>sslcert</literal> and <literal>sslkey</literal> or the
8410+ connection parameters <literal>sslcert</literal>
8411+ and <literal>sslkey</literal>, or by the
84148412 environment variables <envar>PGSSLCERT</envar> and <envar>PGSSLKEY</envar>.
84158413 </para>
84168414
8415+ <para>
8416+ On Unix systems, the permissions on the private key file must disallow
8417+ any access to world or group; achieve this by a command such as
8418+ <command>chmod 0600 ~/.postgresql/postgresql.key</command>.
8419+ Alternatively, the file can be owned by root and have group read access
8420+ (that is, <literal>0640</literal> permissions). That setup is intended
8421+ for installations where certificate and key files are managed by the
8422+ operating system. The user of <application>libpq</application> should
8423+ then be made a member of the group that has access to those certificate
8424+ and key files. (On Microsoft Windows, there is no file permissions
8425+ check, since the <filename>%APPDATA%\postgresql</filename> directory is
8426+ presumed secure.)
8427+ </para>
8428+
84178429 <para>
84188430 The first certificate in <filename>postgresql.crt</filename> must be the
84198431 client's certificate because it must match the client's private key.