<filename>~/.postgresql/postgresql.crt</filename>.
        This parameter is ignored if an SSL connection is not made.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="libpq-connect-sslkey" xreflabel="sslkey">
      <term><literal>sslkey</literal></term>
      <listitem>
       <para>
        This parameter specifies the location for the secret key used for
        the client certificate. It can either specify a file name that will
        be used instead of the default
        <filename>~/.postgresql/postgresql.key</filename>, or it can specify a key
        obtained from an external <quote>engine</quote> (engines are
        <productname>OpenSSL</productname> loadable modules).  An external engine
        specification should consist of a colon-separated engine name and
        an engine-specific key identifier.  This parameter is ignored if an
        SSL connection is not made.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="libpq-connect-sslkeylogfile" xreflabel="sslkeylogfile">
      <term><literal>sslkeylogfile</literal></term>
      <listitem>
       <para>
        This parameter specifies the location where <application>libpq</application>
        will log keys used in this SSL context.  This is useful for debugging
        <productname>PostgreSQL</productname> protocol interactions or client
        connections using network inspection tools like
        <productname>Wireshark</productname>.  This parameter is ignored if an
        SSL connection is not made, or if <productname>LibreSSL</productname>
        is used (<productname>LibreSSL</productname> does not support key
        logging).  Keys are logged using the <productname>NSS</productname>
        format.
        <warning>
         <para>
          Key logging will expose potentially sensitive information in the
          keylog file.  Keylog files should be handled with the same care as
          <xref linkend="libpq-connect-sslkey" /> files.
         </para>
        </warning>
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="libpq-connect-sslpassword" xreflabel="sslpassword">
      <term><literal>sslpassword</literal></term>
      <listitem>
       <para>
        This parameter specifies the password for the secret key specified in
        <literal>sslkey</literal>, allowing client certificate private keys
        to be stored in encrypted form on disk even when interactive passphrase
        input is not practical.
       </para>
       <para>
        Specifying this parameter with any non-empty value suppresses the
        <literal>Enter PEM pass phrase:</literal>
        prompt that <productname>OpenSSL</productname> will emit by default
        when an encrypted client certificate key is provided to
        <application>libpq</application>.
       </para>
       <para>
        If the key is not encrypted this parameter is ignored. The parameter
        has no effect on keys specified by <productname>OpenSSL</productname>
        engines unless the engine uses the <productname>OpenSSL</productname>
        password callback mechanism for prompts.
       </para>
       <para>
        There is no environment variable equivalent to this option, and no
        facility for looking it up in <filename>.pgpass</filename>. It can be
        used in a service file connection definition. Users with
        more sophisticated uses should consider using <productname>OpenSSL</productname> engines and
        tools like PKCS#11 or USB crypto offload devices.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="libpq-connect-sslcertmode" xreflabel="sslcertmode">
      <term><literal>sslcertmode</literal></term>
      <listitem>
       <para>
        This option determines whether a client certificate may be sent to the
        server, and whether the server is required to request one. There are
        three modes:

        <variablelist>
         <varlistentry>