19.12. Certificate Authentication
This authentication method uses SSL client certificates to perform authentication. It is therefore only available for SSL connections; seeSection 17.9.2 for SSL configuration instructions. When using this authentication method, the server will require that the client provide a valid, trusted certificate. No password prompt will be sent to the client. Thecn (Common Name) attribute of the certificate will be compared to the requested database user name, and if they match the login will be allowed. User name mapping can be used to allowcn to be different from the database user name.
The following configuration options are supported for SSL certificate authentication:
mapAllows for mapping between system and database user names. SeeSection 19.2 for details.
In apg_hba.conf record specifying certificate authentication, the authentication optionclientcert is assumed to be1, and it cannot be turned off since a client certificate is necessary for this method. What thecert method adds to the basicclientcert certificate validity test is a check that thecn attribute matches the database user name.