This topic describes how to configure Secure Sockets Layer (SSL) encryption for an ApsaraDB RDS for MySQL instance. You can enable SSL encryption for your RDS instance and install the SSL certificates that are issued by certificate authorities (CAs) on your application. Then, SSL encrypts the network connection at the transport layer between your RDS and your application. This enhances the security and integrity of the data in transit. However, SSL increases the response time.
Prerequisites
Your RDS instance runs one of the following MySQL versions and RDS editions:
- MySQL 8.0 on RDS Enterprise Edition
- MySQL 8.0 on RDS High-availability Edition
- MySQL 5.7 on RDS Enterprise Edition
- MySQL 5.7 on RDS High-availability Edition
- MySQL 5.6
Background information
For more information about how to configure SSL encryption for RDS instances that run other database engines, see the following topics:
Precautions
- The validity period of an SSL certificate is one year. Before the used SSL certificate expires, you must update its validity period. In addition, you must download the SSL certificate file and configure the SSL certificate again. Otherwise, a client cannot connect to your RDS instance over an encrypted connection. For more information, see Update the validity period of an SSL certificate.
- Due to its implementation principles, SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only when you need to encrypt the connection to the public endpoint of your RDS instance. In most cases, the connection to the internal endpoint of your RDS instance is secure and therefore does not require SSL encryption.
- SSL encryption is not supported for the connection to the read/write splitting endpoint of your RDS instance.
- If you disable SSL encryption, your RDS instance restarts. Proceed with caution.
Enable SSL encryption
Configure an SSL certificate
After SSL encryption is enabled, you must configure an SSL certificate on your application or client. Otherwise, your application or client cannot connect to your RDS instance. In this topic, MySQL Workbench and Navicat are used as examples. If you use other applications or clients, see the related instructions.
Perform the following steps to configure an SSL certificate on MySQL Workbench:
Perform the following steps to configure an SSL certificate on Navicat:
Update the validity period of an SSL certificate
- The Update Validity operation causes your RDS instance to restart. Proceed with caution.
- After you perform the Update Validity operation, you must download the SSL certificate file and configure the SSL certificate again.

Disable SSL encryption
- If you disable SSL encryption, your RDS instance restarts. In this case, ApsaraDB RDS triggers a primary/secondary switchover to reduce the impacts on your workloads. However, we still recommend that you disable SSL encryption during off-peak hours.
- After you disable SSL encryption, access performance increases, but security decreases. We recommend that you disable SSL encryption only in secure environments.
- In the left-side navigation pane, click Data Security.
- Click the SSL Encryption tab.
- Turn off SSL Encryption. In the message that appears, click OK.
FAQ
If I do not update the validity period of the expired SSL certificate, does my RDS instance malfunction or data security deteriorate?
If you do not update the expired SSL certificate, your RDS instance still runs as normal and no security risks occur. However, if your application communicates with your RDS instance over an encrypted connection, your application is disconnected.