ApsaraDB RDS:Configure a custom certificate on an ApsaraDB RDS for PostgreSQL instance

Prerequisites

• The RDS instance runs PostgreSQL 10 or later with standard SSDs or enhanced SSDs (ESSDs).
• OpenSSL is installed.
  Note Linux operating systems are provided with OpenSSL. If you are using a Linux operating system, you do not need to install OpenSSL. If you are using a Windows operating system, you must download the OpenSSL software package and install OpenSSL. For more information, visit the Win32/Win64 OpenSSL page.

Precautions

• After SSL encryption is enabled, the CPU utilization and the read and write latencies increase.
• After SSL encryption is enabled, you must close the existing connection and establish a new connection to make SSL encryption take effect.
• When you configure a custom certificate, change the content of the configured custom certificate, or disable SSL encryption, the RDS instance restarts. The restart process requires about 3 minutes. We recommend that you perform these operations during off-peak hours.

Step 1: Create a custom certificate

In this example, Community Enterprise Operating System (CentOS) is used. If you are using a Windows operating system, you can configure the openssl command by using the same configuration that you use in CentOS. In addition, if you are using a Windows operating system, you must directly copy and edit the files that you need rather than running the cp and vim commands.

1. Create a self-signed certificate. The self-signed certificate is saved in a file named ca.crt. Also, create a private key for the self-signed certificate. The private key is saved in a file named ca.key.

   openssl req -new -x509 -days 3650 -nodes -out ca.crt -keyout ca.key -subj "/CN=root-ca"

2. Create a certificate signing request (CSR). The CSR is used to request a server certificate and is saved in a file named server.csr. Also, create a private key for the server certificate. The private key is saved in a file named server.key.
   Each custom certificate can protect one or more endpoints.

   • If you want to protect a single endpoint, run the following command:

     openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=pgm-bpxxxxx.pg.rds.aliyuncs.com"

   • If you want to protect multiple endpoints, run the following command:
     1. Copy the openssl.cnf file for temporary use.

        cp /etc/pki/tls/openssl.cnf  /tmp/openssl.cnf

        Note If you are using a Windows operating system, the openssl.cnf file is stored in the Installation directory of OpenSSL\bin\cnf path. You can copy the openssl.cnf file to any other directory on your computer.
     2. Run the following command to open the openssl.cnf file:

        vim /tmp/openssl.cnf

     3. Enter i to enable the edit mode. Then, add the following content to the openssl.cnf file:

        # Add the following content at the end of the [ req ] element.
        req_extensions = v3_req
        
        # Add the [ v3_req ] element.
        [ v3_req ]
        basicConstraints = CA:FALSE
        keyUsage = nonRepudiation, digitalSignature, keyEncipherment
        subjectAltName = @alt_names
        
        # Add the [ alt_names ] element. Then, enter the endpoint that you want to protect following each Domain Name System (DNS) record.
        [ alt_names ]
        DNS.1 = pgm-bpxxxxx.pg.rds.aliyuncs.com
        DNS.2 = pgm-bpxxxxx.pg.rds.aliyuncs.com

     4. Press Esc to exit the edit mode. Then, enter :wq to save the openssl.cnf file and exit.
     5. Create a CSR. The CSR is used to request a server certificate and is saved in a file named server.csr. Also, create a private key for the server certificate. The private key is saved in a file named server.key.

        openssl req -new -nodes -text -out server.csr -keyout server.key -config /tmp/openssl.cnf

        When the server.csr file is being created, you are prompted to configure the following parameters based on your business requirements.

        Parameter	Description	Example
        Country Name	The code for the country where the RDS instance resides. The country code must be two characters in length. ApsaraDB RDS supports country codes that are created and maintained by the International Organization for Standardization (ISO).	CN
        State or Province Name	The province where the RDS instance resides.	Zhejiang
        Locality Name	The city where the RDS instance resides.	Hangzhou
        Organization Name	The name of the enterprise that purchases the RDS instance.	Alibaba
        Organizational Unit Name	The name of the department that uses the RDS instance within the specified enterprise.	Aliyun
        Common Name	The domain name from which the request for an SSL certificate is originated. The domain name is specified in the openssl.cnf file. You do not need to specify this parameter.	-
        Email Address	You do not need to specify this parameter.	-
        A challenge password	You do not need to specify this parameter.	-
        An optional company name	You do not need to specify this parameter.	-

3. Create a server certificate. The server certificate is saved in a file named server.crt.
   • If you want to protect a single endpoint, run the following command:

     openssl x509 -req -in server.csr -text -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial  -out server.crt

   • If you want to protect multiple endpoints, run the following command:

     openssl x509 -req -in server.csr -text -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial  -out server.crt -extensions v3_req -extfile /tmp/openssl.cnf

Step 2: Use the created custom certificate to enable SSL encryption

1. Log on to the ApsaraDB RDS console. Find the RDS instance and click the ID of the instance. In the left-side navigation pane, click Data Security. On the page that appears, click the SSL Encryption tab.
2. Click Custom Certificate. Then, click Configuration next to Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, specify the server certificate and the private key of the server certificate.
   

   Parameter	Description
   Server Certificate	Enter the content of the server.crt file that you created. For more information, see the "Step 1: Create a custom certificate" section of this topic. Make sure that all the content from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- is copied to this field.
   Private Key of Server Certificate	Enter the content of the server.key file that you created. For more information, see the "Step 1: Create a custom certificate" section of this topic. Make sure that all the content from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY----- is copied to this field.

   When you request a custom certificate, you can select multiple endpoints that you want to protect. If you select multiple endpoints, you can find multiple records in the Protected Host parameter.

Step 3: Connect to the RDS instance from a database client

Step 4: (Optional) Update the created custom certificate

On the SSL tab, click Modify next to Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, enter the new server certificate that you want to use and the private key of the new server certificate.

Step 5: (Optional) Disable SSL encryption

On the SSL tab, click Disable SSL.