All Products
Search
Document Center

ApsaraDB RDS:Configure a custom certificate

Last Updated:Sep 18, 2023

In ApsaraDB RDS for PostgreSQL, SSL encryption supports cloud certificates and custom certificates. This topic describes how to configure a custom certificate that is used for SSL encryption on an ApsaraDB RDS for PostgreSQL instance.

Prerequisites

  • The RDS instance runs PostgreSQL 10 or later and uses cloud disks.

  • OpenSSL is installed.

    Note

    Linux operating systems are provided with OpenSSL. If you use a Linux operating system, you do not need to install OpenSSL. If you use a Windows operating system, you must download the OpenSSL software package and install OpenSSL. For more information, see the Win32/Win64 OpenSSL page.

Usage notes

  • After SSL encryption is enabled, the CPU utilization and the read and write latencies increase.

  • After SSL encryption is enabled, you must close the existing connection and establish a new connection to make SSL encryption take effect.

  • When you configure a custom certificate, modify the content of the configured custom certificate, or disable SSL encryption, the RDS instance restarts. The restart process requires about 3 minutes. We recommend that you perform these operations during off-peak hours.

Step 1: Create a custom certificate

Warning

When you create a private key for a server certificate or self-signed certificate, do not enable password encryption. If you enable password encryption, SSL encryption cannot be enabled.

In this example, Community Enterprise Operating System (CentOS) is used. If you use a Windows operating system, you can configure the openssl command by using the same configuration that you use in CentOS. In addition, if you use a Windows operating system, you must directly copy and edit the files that you need rather than running the cp and vim commands.

  1. Create a self-signed certificate and a private key for the self-signed certificate. The self-signed certificate is saved in a file named ca.crt. The private key is saved in a file named ca.key.

    openssl req -new -x509 -days 3650 -nodes -out ca.crt -keyout ca.key -subj "/CN=root-ca"
  2. Create a certificate signing request (CSR) file and a private key for the server certificate. The CSR file is named server.csr. The private key is saved in a file named server.key.

    Each custom certificate can protect one or more endpoints. You can use one of the following methods to generate a CSR file:

    • If you want to protect a single endpoint, run the following command:

      openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=pgm-bpxxxxx.pg.rds.aliyuncs.com"
      Note

      In the command, pgm-bpxxxxx.pg.rds.aliyuncs.com is used for example only. You must replace it with the actual endpoint that you want to protect. For more information about how to view the endpoint, see View and change the endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance.

    • If you want to protect multiple endpoints, run the following command:

      1. Copy the openssl.cnf file for temporary use.

        cp /etc/pki/tls/openssl.cnf  /tmp/openssl.cnf
        Note

        If you are using a Windows operating system, the openssl.cnf file is stored in the Installation directory of OpenSSL\bin\cnf path. You can copy the openssl.cnf file to any other directory on your computer.

      2. Run the following command to open the openssl.cnf file:

        vim /tmp/openssl.cnf
      3. Enter i to enable the edit mode. Then, add the following content to the openssl.cnf file:

        # Add the following content at the end of the [ req ] element.
        req_extensions = v3_req
        
        # Add the [ v3_req ] element.
        [ v3_req ]
        basicConstraints = CA:FALSE
        keyUsage = nonRepudiation, digitalSignature, keyEncipherment
        subjectAltName = @alt_names
        
        # Add the [ alt_names ] element. Then, enter the endpoint that you want to protect following each Domain Name System (DNS) record.
        [ alt_names ]
        DNS.1 = pgm-bpxxxxx.pg.rds.aliyuncs.com
        DNS.2 = pgm-bpxxxxx.pg.rds.aliyuncs.com
      4. Press Esc to exit the edit mode. Then, enter :wq to save the file and exit.

      5. Create a CSR file. The CSR file is named server.csr. Also, create a private key for the server certificate. The private key is saved in a file named server.key.

        openssl req -new -nodes -text -out server.csr -keyout server.key -config /tmp/openssl.cnf

        When the server.csr file is being created, you are prompted to configure the following parameters based on your business requirements.

        Parameter

        Description

        Example

        Country Name

        The code for the country in which the RDS instance resides. The country code must be two characters in length. ApsaraDB RDS supports country codes that are created and maintained by the International Organization for Standardization (ISO).

        CN

        State or Province Name

        The province in which the RDS instance resides.

        ZheJiang

        Locality Name

        The city in which the RDS instance resides.

        HangZhou

        Organization Name

        The name of the enterprise that purchases the RDS instance.

        Alibaba

        Organizational Unit Name

        The name of the department that uses the RDS instance.

        Aliyun

        Common Name

        The domain name from which the request for an SSL certificate is originated. The domain name is specified in the openssl.cnf file. You do not need to configure this parameter.

        -

        Email Address

        You do not need to configure this parameter.

        -

        A challenge password

        You do not need to configure this parameter.

        -

        An optional company name

        You do not need to configure this parameter.

        -

  3. Create a server certificate. The server certificate is saved in a file named server.crt.

    • If you want to protect a single endpoint, run the following command:

      openssl x509 -req -in server.csr -text -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial  -out server.crt
    • If you want to protect multiple endpoints, run the following command:

      openssl x509 -req -in server.csr -text -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial  -out server.crt -extensions v3_req -extfile /tmp/openssl.cnf

After you complete the preceding configurations, run the ls command to view the generated file:

# ls
ca.crt  ca.key  ca.srl  server.crt  server.csr  server.key

The following list describes the files:

  • server.crt: the file that contains the server certificate

  • server.key: the file that contains the private key of the server certificate

  • ca.crt: the file that contains the self-signed certificate

  • ca.key: the file that contains the private key of the self-signed certificate

Step 2: Use the created custom certificate to enable SSL encryption

Note

After a custom certificate is configured, the status of the RDS instance changes from Running to Modifying SSL. After about 3 minutes, the status changes back to Running.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. Log on to the ApsaraDB RDS console. Find the RDS instance and click the ID of the instance. In the left-side navigation pane, click Data Security. On the page that appears, click the SSL tab.

  3. Click Custom Certificate. Then, click Configuration next to Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, specify the server certificate and the private key of the server certificate and click OK.

    使用自定义证书

    Parameter

    Description

    Server Certificate

    Enter the content of the server.crt file that you created. For more information, see Step 1: Create a custom certificate. Make sure that all the content from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- is copied to this field.

    Private Key of Server Certificate

    Enter the content of the server.key file that you created. For more information, see Step 1: Create a custom certificate. Make sure that all the content from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY----- is copied to this field.

    When you request a custom certificate, you can select multiple endpoints that you want to protect. If you select multiple endpoints, you can find multiple records in the Protected Host parameter.使用自定义证书

Step 3: Connect to the RDS instance from the database client

You can connect to the RDS instance from the database client over SSL. For more information, see Connect to an ApsaraDB RDS for PostgreSQL instance over SSL connections.

Step 4: (Optional) Update the created custom certificate

Note

This operation triggers a restart of the RDS instance. Proceed with caution.

On the SSL tab, click Modify next to Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, enter the new server certificate that you want to use and the private key of the new server certificate.更新证书

Step 5: (Optional) Disable SSL encryption

Note

This operation triggers a restart of your RDS instance. Proceed with caution.

On the SSL tab, click Disable SSL.closessl