All Products
Search
Document Center

ApsaraDB RDS:Enable SSL encryption with a cloud certificate

Last Updated:Jun 04, 2026

This topic describes how to configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance. SSL encryption is used to encrypt the connections from a database client to an RDS instance. This helps you protect the data that is transmitted over the connections. This topic also describes how to configure a cloud certificate to enable SSL encryption.

Background information

SSL is a protocol that is developed to ensure secure communication and protect data. From SSL 3.0 onwards, SSL is renamed as TLS.

Note

ApsaraDB RDS for PostgreSQL supports TLS 1.0, TLS 1.1, and TLS 1.2.

The following table provides a comparison of the SSL encryption configurations and benefits among various certificates.

Item

Cloud certificate

Custom certificate

Client CA certificate

Purpose

The server (database) certificate, which is used by the client to authenticate the server.

The server (database) certificate, which is used by the client to authenticate the server.

The client certificate, which is used by the server (database) to authenticate the client.

Method to obtain

Issued by Alibaba Cloud.

Issued by a certification authority (CA) or from a self-signed certificate.

Issued from a self-signed certificate.

Validity period

365 days.

Customized.

Customized.

Number of protected endpoints

1

1 or more.

Varies based on the cloud certificate or custom certificate that is used. The number of protected endpoints does not vary based on the CA certificate that is used.

Note
  • You must configure a cloud certificate or a custom certificate to enable SSL encryption and authenticate the server (database).

  • You can choose not to configure a client CA certificate, which is used by the server to authenticate the client.

Prerequisites

  • The RDS instance runs PostgreSQL 10 or later and uses cloud disks.

    Note

    Serverless RDS instances are not supported.

  • The pgAdmin 4 client is downloaded. For more information, see pgAdmin 4.

Usage notes

  • A cloud certificate is valid for one year. Before it expires, Alibaba Cloud sends renewal reminders through emails, and internal messages in the Event Center, and automatically renews the certificate within a specific period. You can customize the certificate renewal time by configuring the Schedule Event. For more information, see Scheduled events.

  • After SSL encryption is enabled, the CPU utilization and the read and write latencies increase.

  • After SSL encryption is enabled, you must close the existing connection and establish a new connection to make SSL encryption take effect.

  • When you configure a cloud certificate, change the endpoint that is protected by the configured cloud certificate, or disable SSL encryption, the RDS instance restarts. Transient disconnections lasting several minutes may occur during the restart. We recommend that you perform these operations during off-peak hours.

Step 1: Use a cloud certificate to enable SSL encryption

In this topic, cloud certificates are used to describe how to configure SSL encryption.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the left-side navigation pane, choose Data Security > SSL.

    Note

    If you do not see the SSL tab on the console, check whether your ApsaraDB RDS for PostgreSQL instance meets the version and storage type requirements. For more information, see Prerequisites.

  3. For Certificate Source, select Cloud Certificate. Click Configuration next to Configure Database Certificate (to Prevent Database Disguise), and then select the endpoint that you want to protect.

    Note
    • If you have not enabled a public endpoint, the Select Protected Endpoint dialog box displays only the internal endpoint of the ApsaraDB RDS for PostgreSQL instance. If you have enabled a public endpoint, both the internal and public endpoints are displayed. A cloud certificate can protect only one endpoint. Because internal connections are relatively secure, we recommend that you protect the public endpoint. To view the internal and public endpoints, see View and change the internal and public endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance.

    • For more information about how to protect the internal endpoint and the public endpoint at the same time, see Use a custom certificate to enable the SSL encryption feature.

    • After configuring the cloud certificate, the Status of the instance changes to Modifying SSL Settings. This process takes about three minutes. Wait for the status to change to Running before you proceed.

Step 2: Download the server CA certificate

After you configure the cloud certificate, you must download and save the server (database) CA certificate to your client. When you connect to the RDS instance from the client, you can use the server (database) CA certificate to authenticate the RDS instance.

  1. For Certificate Source, select Cloud Certificate and click Download CA Certificate.

  2. Decompress the file that you downloaded.

    The file that you downloaded is a package that contains the following files:

    • PEM file: suitable for most scenarios.

    • JKS file: In most cases, the PEM-formatted certification authority (CA) certificate file must be imported to a truststore for the conversion into a JKS file for use in Java applications. The password is apsaradb.

    • P7B file: suitable for a small number of Windows applications that require PKCS#7-formatted certificate files.

Step 3: Connect to the RDS instance from the database client

In this example, pgAdmin is used to describe how to connect to the RDS instance over SSL.

You can connect to an RDS instance by using multiple methods, such as the psql command-line client and Java Database Connectivity (JDBC). For more information, see Connect to an ApsaraDB RDS for PostgreSQL instance over SSL connections.

Note
  1. Start the pgAdmin 4 client.

    Note

    When you first log on to recent versions of the client, you must set a Master Password to protect saved credentials.

  2. Right-click Servers and select Register > Server....

  3. On the General tab, specify a name for the connection.

  4. On the Connection tab, configure the Connection settings by entering the following parameters for your instance.

    Parameter

    Description

    Host name/address

    The endpoint and port of the ApsaraDB RDS for PostgreSQL instance.

    • If you connect over an internal network, enter the internal endpoint and port of the RDS instance.

    • If you connect over a public network, enter the public endpoint and port of the RDS instance.

    You can view this on the database connection page of an ApsaraDB RDS for PostgreSQL instance.

    For more information, see View or change an endpoint and port.

    Port

    Username

    The account and password for your ApsaraDB RDS for PostgreSQL instance.

    For information about how to create an account for an RDS instance, see Create an account and a database.

    Password

  5. Select the Parameters tab, and then add and configure SSL authentication parameters.

    Parameter

    Description

    SSL mode

    For security purposes, we recommend that you set this parameter to Require, Verify-CA, or Verify-Full. The following list provides the meanings of the different values of the SSL mode parameter:

    • Require: The database client encrypts the SSL connections that are used to transmit data. However, the database client does not validate the RDS instance.

    • Verify-CA: The database client encrypts the SSL connections that are used to transmit data and validates the RDS instance.

    • Verify-Full: Encrypts the data connection, verifies the server's identity, and checks whether the Common Name (CN) or DNS name in the server certificate matches the Host name/address provided for the connection.

    Root certificate

    This parameter is required if you set SSL mode to Verify-CA or Verify-Full. It specifies the path to the CA root certificate file.

    Note
    • In this example, the CA certificate downloaded from the SSL tab is extracted to D:\CA\aliyunCA\. You can extract the certificate to any local directory.

    • In pgAdmin, the file that contains the server CA certificate is in the PEM format.

  6. Click Save.

    If the connection information is correct, a page similar to the following one appears, which indicates that the connection is successful.

    Important

    postgres is the default system database for an RDS instance. Do not perform any operations in this database.