Redshift JDBC connection: Using SSL certificate file without putting it into truststore?

2
votes

I would like to set up SSL when connecting to Redshift with JDBC, and use the Redshift certificate to verify the connection.

Redshift docs at http://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html describe that I need to add the redshift key from https://s3.amazonaws.com/redshift-downloads/redshift-ssl-ca-cert.pem to a truststore.

However, I would not like to add the certificate to a truststore, but use the certificate file directly. As described on docs.aws.amazon.com/redshift/latest/mgmt/configure-jdbc-options.html, JDBC has the option sslCert to specify the path to the certificate file directly. But when sslCert is specified, it requires me to also specify the sslKey option, which as far as I understand is the private key of the certificate. Why is that? Why do I need to also have the key when using the certificate from a file and not from a truststore? Is there any other way to setup it without adding it to a truststore (and performing verification, so not a NonValidatingFactory)?

1
ssljdbcamazon-redshift
By further googling I researched that sslCert and SslKey options are for client certificates and not server certificates, and then it makes sense why I need a key. However the question still remains: can I use a server certificate without putting it into the truststore? - Juliusz Sompolski
I also tried using sslrootcert to point to the certificate file, but that also does not seem to work... - Juliusz Sompolski
This is for psql, but the info further down about using a cert might help since it specifies a file: docs.aws.amazon.com/redshift/latest/mgmt/…. - systemjack

1 Answers

1
votes

In the end using sslrootcert=/path/to/certificate.pem worked. I had a too old version of redshift JDBC library that did not support that option...