For people wanting to authenticate on a posgresql server, using a X509 client certificate, this procedure might help.
This procedure does it in the java way, ie it take a jks store, not pem files.
First create a jks with the private key for your account and put in it all the needed certificates in the chain (both server and user). The cn for user certificate should match the username used latter.
Add to your JVM args :
-Djavax.net.ssl.trustStore=.../puppetdb.jks -Djavax.net.ssl.trustStorePassword=<JKS password> -Djavax.net.ssl.keyStore=.../puppetdb.jks -Djavax.net.ssl.keyStorePassword=<JKS password>
In case of problems, -Djavax.net.debug=ssl,defaultctx might help.
My database.ini is :
classname = org.postgresql.Driver
subprotocol = postgresql
subname = //localhost:5432/puppetdb?ssl=true
username = puppetdb
In pg_hba.conf, I added :
hostssl all all 0.0.0.0/0 cert clientcert=1
And in postgresql.conf :
ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'
The file root.crt contains all the needed certificates (both client and server)
The file server.crt contains only the server certificate
The file server.key contains the private key.
Those 3 files are stored as PEM files.
org.postgresql.ssl.LibPQFactory is used if you want to mimic the psql client configuration and use PEM files instead of JKS, and it take the same arguments, some documentation can be found at :