This topic describes how to configure a client certification authority (CA) certificate on an ApsaraDB RDS for PostgreSQL instance. If you use a cloud certificate or a custom certificate to enable SSL encryption on an RDS instance, a database client validates the RDS instance before the database client connects to the RDS instance. If you want the RDS instance to validate the database client, you must also configure a client CA certificate.
Prerequisites
- SSL encryption is configured, or a custom certificate is configured. For more information, see Configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance or Configure a custom certificate on an ApsaraDB RDS for PostgreSQL instance.
- OpenSSL is installed. Note Linux operating systems are provided with OpenSSL. If you are using a Linux operating system, you do not need to install OpenSSL. If you are using a Windows operating system, you must download the OpenSSL software package and install OpenSSL. For more information, visit the Win32/Win64 OpenSSL page.
Precautions
- After a client CA certificate is configured, you must close the existing connection and establish a new connection to make SSL encryption take effect.
- When you configure a client CA certificate, change the content of the configured client CA certificate, or modify a certificate revocation list (CRL) on the RDS instance, the RDS instance restarts. The restart process requires about 3 minutes. We recommend that you perform these operations during off-peak hours.
Step 1: Create a client certificate
In this example, Community Enterprise Operating System (CentOS) is used. If you are using a Windows operating system, you can configure the openssl
command by using the same configuration that you use in CentOS.
- Create a self-signed certificate. The self-signed certificate is saved in a file named ca1.crt. Also, create a private key for the self-signed certificate. The private key is saved in a file named ca1.key.
openssl req -new -x509 -days 3650 -nodes -out ca1.crt -keyout ca1.key -subj "/CN=root-ca1"
- Create a certificate signing request (CSR). The CSR is used to request a client certificate and is saved in a file named client.csr. Also, create a private key for the client certificate. The private key is saved in a file named client.key.
openssl req -new -nodes -text -out client.csr -keyout client.key -subj "/CN=<Username that is used for logons from the database client>"
Note In the preceding command, the CN parameter follows the -subj parameter. You must set the CN parameter to the username of the account that is used by the database client to connect to the RDS instance. - Create a client certificate. The client certificate is saved in a file named client.crt.
openssl x509 -req -in client.csr -text -days 365 -CA ca1.crt -CAkey ca1.key -CAcreateserial -out client.crt
- client.crt: the name of the file that contains the client certificate
- client.key: the file that contains the private key of the client certificate
- ca1.crt: the file that contains the self-signed certificate
- ca1.key: the file that contains the private key of the self-signed certificate
Step 2: Configure a client CA certificate
- Log on to the ApsaraDB RDS console. Find the RDS instance and click the ID of the instance. In the left-side navigation pane, click SSL Encryption tab. . On the page that appears, click the
- Click Enable Client CA Certificate.
- In the dialog box that appears, copy the content of the ca1.crt file to the Public Key field. Then, click OK. For more information about how to obtain the ca1.crt file, see the "Step 1: Create a client certificate" section of this topic.
Step 3: Connect to the RDS instance from the database client
Step 4: (Optional) Configure a CRL file
If you no longer need the client certificate, you can revoke the client certificate. After the client certificate is revoked, the RDS instance denies access requests from the database client.
- Modify the openssl.cnf file.
touch /etc/pki/CA/index.txt echo 1000 > /etc/pki/CA/crlnumber
NoteIf you are using a Windows operating system, you must perform the following operations:- Create a CA folder in the Installation directory of OpenSSL\bin path.
- Create a file named index.txt in the CA folder.
- Run the following command by using PostgreSQL CLI:
echo 1000 > <Installation directory of OpenSSL>\bin\CA\crlnumber
- Modify the openssl.cnf file in the C:\Program Files\Common Files\SSL\ path.
# Find the [ CA_default ] configuration item. dir = "<Installation directory of OpenSSL>\\bin\\CA"
- Revoke the client certificate, which is contained in the client.crt file.
openssl ca -revoke client.crt -cert ca1.crt -keyfile ca1.key
Note The preceding command requires the self-signed certificate and the private key of the self-signed certificate. The self-signed certificate is contained in the ca1.crt file, and the private key of the self-signed certificate is contained in the ca1.key file. For more information, see the "Step 1: Create a client certificate" section of this topic. - Create a CRL. The CRL is saved in a file named client.crl.
openssl ca -gencrl -out client.crl -cert ca.crt -keyfile ca.key
- Log on to the ApsaraDB RDS console. Find the RDS instance and click the ID of the instance. In the left-side navigation pane, click SSL Encryption tab. . On the page that appears, click the
- Click Enable Certificate Revocation File.
- In the dialog box that appears, copy the content of the client.crl file to the Revocation File field.
Step 5: (Optional) Update the client certificate

Step 6: (Optional) Configure an ACL
After a client CA certificate is configured, you can configure an access control list (ACL) on the RDS instance. Then, the database client can connect to the RDS instance only after the RDS instance validates the database client based on the SSL mode that you specify. The RDS instance validates the database client by using the client certificate and the private key of the client certificate.
- When you configure an ACL, no operations can be performed on the RDS instance. This configuration process requires about 1 minute.
- If you have not specified an SSL mode for the database client, the default SSL mode is used. The default SSL mode is perfer. In this case, you can set the
PGSSLMODE
parameter to disable. Then, you can connect to the RDS instance over SSL. If you want to prohibit non-SSL connections, you must specify an SSL mode for the configured ACL after you enable SSL encryption. The SSL mode that you specify cannot be perfer.

- cert: A client certificate rather than a password is used to validate the database client. An SSL connection is established. In addition, the system validates the client certificate and checks whether the CN specified in the client certificate is consistent with the username that is used to connect to the RDS instance.
- perfer: An SSL connection is established. If you set the PGSSLMODE parameter on the database client to disable, you can connect the database client to the RDS instance over a non-SSL connection.
- verify-ca: An SSL connection is established, and the system validates the client certificate.
- verify-full: An SSL connection is established, and the system validates the client certificate and checks whether the CN specified in the client certificate is consistent with the username that is used to connect to the RDS instance. This SSL mode is supported only for PostgreSQL 12.