This topic describes how to configure a custom certificate that is used for SSL encryption on an ApsaraDB RDS for PostgreSQL instance. In ApsaraDB RDS for PostgreSQL, SSL encryption supports cloud certificates and custom certificates.

Prerequisites

  • The RDS instance runs PostgreSQL 10 or later with standard SSDs or enhanced SSDs (ESSDs).
  • OpenSSL is installed.
    Note Linux operating systems are provided with OpenSSL. If you are using a Linux operating system, you do not need to install OpenSSL. If you are using a Windows operating system, you must download the OpenSSL software package and install OpenSSL. For more information, visit the Win32/Win64 OpenSSL page.

Precautions

  • After SSL encryption is enabled, the CPU utilization and the read and write latencies increase.
  • After SSL encryption is enabled, you must close the existing connection and establish a new connection to make SSL encryption take effect.
  • When you configure a custom certificate, change the content of the configured custom certificate, or disable SSL encryption, the RDS instance restarts. The restart process requires about 3 minutes. We recommend that you perform these operations during off-peak hours.

Step 1: Create a custom certificate

Notice When you create a private key for a server certificate or self-signed certificate, do not enable password encryption. If you enable password encryption, SSL encryption cannot be enabled.

In this example, Community Enterprise Operating System (CentOS) is used. If you are using a Windows operating system, you can configure the openssl command by using the same configuration that you use in CentOS. In addition, if you are using a Windows operating system, you must directly copy and edit the files that you need rather than running the cp and vim commands.

  1. Create a self-signed certificate. The self-signed certificate is saved in a file named ca.crt. Also, create a private key for the self-signed certificate. The private key is saved in a file named ca.key.
    openssl req -new -x509 -days 3650 -nodes -out ca.crt -keyout ca.key -subj "/CN=root-ca"
  2. Create a certificate signing request (CSR). The CSR is used to request a server certificate and is saved in a file named server.csr. Also, create a private key for the server certificate. The private key is saved in a file named server.key.
    Each custom certificate can protect one or more endpoints.
    • If you want to protect a single endpoint, run the following command:
      openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=pgm-bpxxxxx.pg.rds.aliyuncs.com"
    • If you want to protect multiple endpoints, run the following command:
      1. Copy the openssl.cnf file for temporary use.
        cp /etc/pki/tls/openssl.cnf  /tmp/openssl.cnf
        Note If you are using a Windows operating system, the openssl.cnf file is stored in the Installation directory of OpenSSL\bin\cnf path. You can copy the openssl.cnf file to any other directory on your computer.
      2. Run the following command to open the openssl.cnf file:
        vim /tmp/openssl.cnf
      3. Enter i to enable the edit mode. Then, add the following content to the openssl.cnf file:
        # Add the following content at the end of the [ req ] element.
        req_extensions = v3_req
        
        # Add the [ v3_req ] element.
        [ v3_req ]
        basicConstraints = CA:FALSE
        keyUsage = nonRepudiation, digitalSignature, keyEncipherment
        subjectAltName = @alt_names
        
        # Add the [ alt_names ] element. Then, enter the endpoint that you want to protect following each Domain Name System (DNS) record.
        [ alt_names ]
        DNS.1 = pgm-bpxxxxx.pg.rds.aliyuncs.com
        DNS.2 = pgm-bpxxxxx.pg.rds.aliyuncs.com
      4. Press Esc to exit the edit mode. Then, enter :wq to save the openssl.cnf file and exit.
      5. Create a CSR. The CSR is used to request a server certificate and is saved in a file named server.csr. Also, create a private key for the server certificate. The private key is saved in a file named server.key.
        openssl req -new -nodes -text -out server.csr -keyout server.key -config /tmp/openssl.cnf
        When the server.csr file is being created, you are prompted to configure the following parameters based on your business requirements.
        Parameter Description Example
        Country Name The code for the country where the RDS instance resides. The country code must be two characters in length. ApsaraDB RDS supports country codes that are created and maintained by the International Organization for Standardization (ISO). CN
        State or Province Name The province where the RDS instance resides. Zhejiang
        Locality Name The city where the RDS instance resides. Hangzhou
        Organization Name The name of the enterprise that purchases the RDS instance. Alibaba
        Organizational Unit Name The name of the department that uses the RDS instance within the specified enterprise. Aliyun
        Common Name The domain name from which the request for an SSL certificate is originated. The domain name is specified in the openssl.cnf file. You do not need to specify this parameter. -
        Email Address You do not need to specify this parameter. -
        A challenge password You do not need to specify this parameter. -
        An optional company name You do not need to specify this parameter. -
  3. Create a server certificate. The server certificate is saved in a file named server.crt.
    • If you want to protect a single endpoint, run the following command:
      openssl x509 -req -in server.csr -text -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial  -out server.crt
    • If you want to protect multiple endpoints, run the following command:
      openssl x509 -req -in server.csr -text -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial  -out server.crt -extensions v3_req -extfile /tmp/openssl.cnf
After you complete the preceding operations, you can obtain the following files:
  • server.crt: the file that contains the server certificate
  • server.key: the file that contains the private key of the server certificate
  • ca.crt: the file that contains the self-signed certificate
  • ca.key: the file that contains the private key of the self-signed certificate

Step 2: Use the created custom certificate to enable SSL encryption

Note After a custom certificate is configured, the status of the RDS instance changes from Running to Modifying SSL. After about 3 minutes, the status changes back to Running.
  1. Log on to the ApsaraDB RDS console. Find the RDS instance and click the ID of the instance. In the left-side navigation pane, click Data Security. On the page that appears, click the SSL Encryption tab.
  2. Click Custom Certificate. Then, click Configuration next to Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, specify the server certificate and the private key of the server certificate.
    Enable a custom certificate
    Parameter Description
    Server Certificate Enter the content of the server.crt file that you created. For more information, see the "Step 1: Create a custom certificate" section of this topic. Make sure that all the content from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- is copied to this field.
    Private Key of Server Certificate Enter the content of the server.key file that you created. For more information, see the "Step 1: Create a custom certificate" section of this topic. Make sure that all the content from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY----- is copied to this field.
    When you request a custom certificate, you can select multiple endpoints that you want to protect. If you select multiple endpoints, you can find multiple records in the Protected Host parameter. Custom Certificate button

Step 3: Connect to the RDS instance from a database client

You can connect to the RDS instance from the database client over SSL by using one of the following methods:

Step 4: (Optional) Update the created custom certificate

Note This operation triggers a restart of the RDS instance. Proceed with caution.
On the SSL tab, click Modify next to Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, enter the new server certificate that you want to use and the private key of the new server certificate. Update a custom certificate

Step 5: (Optional) Disable SSL encryption

Note This operation triggers a restart of the RDS instance. Proceed with caution.
On the SSL tab, click Disable SSL. closessl