This topic describes how to configure a custom certificate that is used for SSL encryption
on an ApsaraDB RDS for PostgreSQL instance. In ApsaraDB RDS for PostgreSQL, SSL encryption
supports cloud certificates and custom certificates.
Prerequisites
- The RDS instance runs PostgreSQL 10 or later with standard SSDs or enhanced SSDs (ESSDs).
- OpenSSL is installed.
Note Linux operating systems are provided with OpenSSL. If you are using a Linux operating
system, you do not need to install OpenSSL. If you are using a Windows operating system,
you must download the OpenSSL software package and install OpenSSL. For more information,
visit the
Win32/Win64 OpenSSL page.
Precautions
- After SSL encryption is enabled, the CPU utilization and the read and write latencies
increase.
- After SSL encryption is enabled, you must close the existing connection and establish
a new connection to make SSL encryption take effect.
- When you configure a custom certificate, change the content of the configured custom
certificate, or disable SSL encryption, the RDS instance restarts. The restart process
requires about 3 minutes. We recommend that you perform these operations during off-peak
hours.
Step 1: Create a custom certificate
Notice When you create a private key for a server certificate or self-signed certificate,
do not enable password encryption. If you enable password encryption, SSL encryption
cannot be enabled.
In this example, Community Enterprise Operating System (CentOS) is used. If you are
using a Windows operating system, you can configure the openssl
command by using the same configuration that you use in CentOS. In addition, if you
are using a Windows operating system, you must directly copy and edit the files that
you need rather than running the cp
and vim
commands.
- Create a self-signed certificate. The self-signed certificate is saved in a file named
ca.crt. Also, create a private key for the self-signed certificate. The private key
is saved in a file named ca.key.
openssl req -new -x509 -days 3650 -nodes -out ca.crt -keyout ca.key -subj "/CN=root-ca"
- Create a certificate signing request (CSR). The CSR is used to request a server certificate
and is saved in a file named server.csr. Also, create a private key for the server
certificate. The private key is saved in a file named server.key.
Each custom certificate can protect one or more endpoints.
- Create a server certificate. The server certificate is saved in a file named server.crt.
- If you want to protect a single endpoint, run the following command:
openssl x509 -req -in server.csr -text -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
- If you want to protect multiple endpoints, run the following command:
openssl x509 -req -in server.csr -text -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extensions v3_req -extfile /tmp/openssl.cnf
After you complete the preceding operations, you can obtain the following files:
- server.crt: the file that contains the server certificate
- server.key: the file that contains the private key of the server certificate
- ca.crt: the file that contains the self-signed certificate
- ca.key: the file that contains the private key of the self-signed certificate
Step 2: Use the created custom certificate to enable SSL encryption
Note After a custom certificate is configured, the status of the RDS instance changes from
Running to Modifying SSL. After about 3 minutes, the status changes back to Running.
- Log on to the ApsaraDB RDS console. Find the RDS instance and click the ID of the
instance. In the left-side navigation pane, click . On the page that appears, click the SSL Encryption tab.
- Click Custom Certificate. Then, click Configuration next to Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, specify the server certificate and the private key
of the server certificate.

Parameter |
Description |
Server Certificate |
Enter the content of the server.crt file that you created. For more information, see
the "Step 1: Create a custom certificate" section of this topic. Make sure that all the content from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- is copied to this field.
|
Private Key of Server Certificate |
Enter the content of the server.key file that you created. For more information, see
the "Step 1: Create a custom certificate" section of this topic. Make sure that all the content from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY----- is copied to this field.
|
When you request a custom certificate, you can select multiple endpoints that you
want to protect. If you select multiple endpoints, you can find multiple records in
the
Protected Host parameter.

Step 3: Connect to the RDS instance from a database client
You can connect to the RDS instance from the database client over SSL by using one
of the following methods:
Step 4: (Optional) Update the created custom certificate
Note This operation triggers a restart of the RDS instance. Proceed with caution.
On the SSL tab, click
Modify next to
Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, enter the new server certificate that you want to
use and the private key of the new server certificate.

Step 5: (Optional) Disable SSL encryption
Note This operation triggers a restart of the RDS instance. Proceed with caution.
On the
SSL tab, click
Disable SSL.
