This topic describes how to configure a client certification authority (CA) certificate on an ApsaraDB RDS for PostgreSQL instance. If you use a cloud certificate or a custom certificate to enable SSL encryption on an RDS instance, a database client validates the RDS instance before the database client connects to the RDS instance. If you want the RDS instance to validate the database client, you must also configure a client CA certificate.
Prerequisites
- SSL encryption is configured, or a custom certificate is configured. For more information, see Configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance or Configure a custom certificate on an ApsaraDB RDS for PostgreSQL instance.
- OpenSSL is installed.
Note Linux operating systems are provided with OpenSSL. If you are using a Linux operating system, you do not need to install OpenSSL. If you are using a Windows operating system, you must download the OpenSSL software package and install OpenSSL. For more information, visit the Win32/Win64 OpenSSL page.
Precautions
- After a client CA certificate is configured, you must close the existing connection and establish a new connection to make SSL encryption take effect.
- When you configure a client CA certificate, change the content of the configured client CA certificate, or modify a certificate revocation list (CRL) on the RDS instance, the RDS instance restarts. The restart process requires about 3 minutes. We recommend that you perform these operations during off-peak hours.
Step 1: Create a client certificate
In this example, Community Enterprise Operating System (CentOS) is used. If you are
using a Windows operating system, you can configure the openssl
command by using the same configuration that you use in CentOS.
- client.crt: the name of the file that contains the client certificate
- client.key: the file that contains the private key of the client certificate
- ca1.crt: the file that contains the self-signed certificate
- ca1.key: the file that contains the private key of the self-signed certificate
Step 2: Configure a client CA certificate
Step 3: Connect to the RDS instance from the database client
Step 4: (Optional) Configure a CRL file
If you no longer need the client certificate, you can revoke the client certificate. After the client certificate is revoked, the RDS instance denies access requests from the database client.
Step 5: (Optional) Update the client certificate

Step 6: (Optional) Configure an ACL
After a client CA certificate is configured, you can configure an access control list (ACL) on the RDS instance. Then, the database client can connect to the RDS instance only after the RDS instance validates the database client based on the SSL mode that you specify. The RDS instance validates the database client by using the client certificate and the private key of the client certificate.
- When you configure an ACL, no operations can be performed on the RDS instance. This configuration process requires about 1 minute.
- If you have not specified an SSL mode for the database client, the default SSL mode
is used. The default SSL mode is prefer. In this case, you can set the
PGSSLMODE
parameter to disable. Then, you can connect to the RDS instance over SSL. If you want to prohibit non-SSL connections, you must specify an SSL mode for the configured ACL after you enable SSL encryption. The SSL mode that you specify cannot be prefer.

- cert: A client certificate rather than a password is used to validate the database client. An SSL connection is established. In addition, the system validates the client certificate and checks whether the CN specified in the client certificate is consistent with the username that is used to connect to the RDS instance.
- prefer: An SSL connection is established. If you set the PGSSLMODE parameter on the database client to disable, you can connect the database client to the RDS instance over a non-SSL connection.
- verify-ca: An SSL connection is established, and the system validates the client certificate.
- verify-full: An SSL connection is established, and the system validates the client certificate and checks whether the CN specified in the client certificate is consistent with the username that is used to connect to the RDS instance. This SSL mode is supported only for PostgreSQL 12.