On Tue, Nov 26, 2013 at 1:31 PM, Bruce Momjian <br...@momjian.us> wrote:
> Well, by using a CA you are giving the CA rights to the key, while you > fully control a self signed key. Since you probably don't expect > unknown individuals to be connecting to your database, and self signed > key is recommended. > You never give the key to them, just a signing request based on the key. You lose no control over anything. They will in general insist your key be at least 2048 bits. The only advantage of having a CA key is if the client does authentication of the server, and you have no prior arrangement with the client to accept a certificate from your signing authority. Using self-signed certs you can give them longevity of 10+ years, so never have to worry about them again :)
