This topic describes how to configure a client certification authority (CA) certificate on an ApsaraDB RDS for PostgreSQL instance. If you use a cloud certificate or a custom certificate to enable SSL encryption on an RDS instance, a database client validates the RDS instance before the database client connects to the RDS instance. If you want the RDS instance to validate the database client, you must also configure a client CA certificate.

Prerequisites

Precautions

  • After a client CA certificate is configured, you must close the existing connection and establish a new connection to make SSL encryption take effect.
  • When you configure a client CA certificate, change the content of the configured client CA certificate, or modify a certificate revocation list (CRL) on the RDS instance, the RDS instance restarts. The restart process requires about 3 minutes. We recommend that you perform these operations during off-peak hours.

Step 1: Create a client certificate

In this example, Community Enterprise Operating System (CentOS) is used. If you are using a Windows operating system, you can configure the openssl command by using the same configuration that you use in CentOS.

  1. Create a self-signed certificate. The self-signed certificate is saved in a file named ca1.crt. Also, create a private key for the self-signed certificate. The private key is saved in a file named ca1.key. 
    openssl req -new -x509 -days 3650 -nodes -out ca1.crt -keyout ca1.key -subj "/CN=root-ca1"
  2. Create a certificate signing request (CSR). The CSR is used to request a client certificate and is saved in a file named client.csr. Also, create a private key for the client certificate. The private key is saved in a file named client.key. 
    openssl req -new -nodes -text -out client.csr -keyout client.key -subj "/CN=<Username that is used for logons from the database client>"
    Note In the preceding command, the CN parameter follows the -subj parameter. You must set the CN parameter to the username of the account that is used by the database client to connect to the RDS instance.
  3. Create a client certificate. The client certificate is saved in a file named client.crt. 
    openssl x509 -req -in client.csr -text -days 365  -CA ca1.crt -CAkey ca1.key -CAcreateserial  -out client.crt
After you complete the preceding operations, you can obtain the following files:
  • client.crt: the name of the file that contains the client certificate
  • client.key: the file that contains the private key of the client certificate
  • ca1.crt: the file that contains the self-signed certificate
  • ca1.key: the file that contains the private key of the self-signed certificate

Step 2: Configure a client CA certificate

Note After a client CA certificate is configured, the status of the RDS instance changes from Running to Modifying SSL. After about 3 minutes, the status changes back to Running.
  1. Log on to the ApsaraDB RDS console. Find the RDS instance and click the ID of the instance. In the left-side navigation pane, click Data Security. On the page that appears, click the SSL Encryption tab.
  2. Click Enable Client CA Certificate.
    Enable Client CA Certificate button
  3. In the dialog box that appears, copy the content of the ca1.crt file to the Public Key field. Then, click OK. For more information about how to obtain the ca1.crt file, see the "Step 1: Create a client certificate" section of this topic.
    Enter the public key of the CA certificate

Step 3: Connect to the RDS instance from the database client

You can connect to the RDS instance from the database client over SSL by using one of the following methods:

Step 4: (Optional) Configure a CRL file

If you no longer need the client certificate, you can revoke the client certificate. After the client certificate is revoked, the RDS instance denies access requests from the database client.

Note After a CRL file is configured, the status of the RDS instance changes from Running to Modifying SSL. After about 3 minutes, the status changes back to Running.
  1. Modify the openssl.cnf file. 
    touch /etc/pki/CA/index.txt
echo 1000 > /etc/pki/CA/crlnumber
    Note
    If you are using a Windows operating system, you must perform the following operations:
    1. Create a CA folder in the Installation directory of OpenSSL\bin path.
    2. Create a file named index.txt in the CA folder.
    3. Run the following command by using PostgreSQL CLI:
      echo 1000 > <Installation directory of OpenSSL>\bin\CA\crlnumber
    4. Modify the openssl.cnf file in the C:\Program Files\Common Files\SSL\ path. 
      # Find the [ CA_default ] configuration item.

dir = "<Installation directory of OpenSSL>\\bin\\CA"
  2. Revoke the client certificate, which is contained in the client.crt file. 
    openssl ca -revoke client.crt -cert ca1.crt -keyfile ca1.key
    Note The preceding command requires the self-signed certificate and the private key of the self-signed certificate. The self-signed certificate is contained in the ca1.crt file, and the private key of the self-signed certificate is contained in the ca1.key file. For more information, see the "Step 1: Create a client certificate" section of this topic.
  3. Create a CRL. The CRL is saved in a file named client.crl. 
    openssl ca -gencrl -out client.crl -cert ca.crt -keyfile ca.key
  4. Log on to the ApsaraDB RDS console. Find the RDS instance and click the ID of the instance. In the left-side navigation pane, click Data Security. On the page that appears, click the SSL Encryption tab.
  5. Click Enable Certificate Revocation File.
    Enable Certificate Revocation File button
  6. In the dialog box that appears, copy the content of the client.crl file to the Revocation File field.
    Configure a CRL file

Step 5: (Optional) Update the client certificate

Note This operation triggers a restart of the RDS instance. Proceed with caution.
On the SSL Encryption tab of the Data Security page, click Clear Client CA Certificate. Then, click Enable Client CA Certificate. clearclientca

Step 6: (Optional) Configure an ACL

After a client CA certificate is configured, you can configure an access control list (ACL) on the RDS instance. Then, the database client can connect to the RDS instance only after the RDS instance validates the database client based on the SSL mode that you specify. The RDS instance validates the database client by using the client certificate and the private key of the client certificate.

Note
  • When you configure an ACL, no operations can be performed on the RDS instance. This configuration process requires about 1 minute.
  • If you have not specified an SSL mode for the database client, the default SSL mode is used. The default SSL mode is prefer. In this case, you can set the PGSSLMODE parameter to disable. Then, you can connect to the RDS instance over SSL. If you want to prohibit non-SSL connections, you must specify an SSL mode for the configured ACL after you enable SSL encryption. The SSL mode that you specify cannot be prefer.
Click Modify next to Configure ACL or Configure Replication ACL. In the dialog box that appears, select an SSL mode. acl
ApsaraDB RDS for PostgreSQL supports the following SSL modes and validation rules:
  • cert: A client certificate rather than a password is used to validate the database client. An SSL connection is established. In addition, the system validates the client certificate and checks whether the CN specified in the client certificate is consistent with the username that is used to connect to the RDS instance.
  • prefer: An SSL connection is established. If you set the PGSSLMODE parameter on the database client to disable, you can connect the database client to the RDS instance over a non-SSL connection.
  • verify-ca: An SSL connection is established, and the system validates the client certificate.
  • verify-full: An SSL connection is established, and the system validates the client certificate and checks whether the CN specified in the client certificate is consistent with the username that is used to connect to the RDS instance. This SSL mode is supported only for PostgreSQL 12.