All Products
Search

This Product

    PolarDB:Configure a client CA certificate

    Document Center

    PolarDB:Configure a client CA certificate

    Last Updated:Jul 09, 2024

    If you want a cluster to authenticate a client that connects to the cluster over SSL, you must configure a client certificate authority (CA) certificate on the cluster. This topic describes how to configure a client CA certificate on a cluster.

    Prerequisites

    • The cluster runs PolarDB for PostgreSQL (Compatible with Oracle) 2.0 or later whose revision version is 2.0.14.21.0 or later. You can configure a custom certificate or a client CA certificate on the primary endpoint only when the cluster runs one of these versions.

    • The PolarProxy version of the cluster is of 2.3.51 or later. You can configure a custom certificate or a client CA certificate on the default cluster endpoint or a custom cluster endpoint only when the PolarProxy runs one of these versions.

    • SSL is configured on the cluster by using a cloud certificate or a custom certificate. For more information, see Configure SSL by using a cloud certificate or Configure a custom certificate.

    • OpenSSL is installed.

      Note

      Linux operating systems are provided with OpenSSL. If you use a Linux operating system, you do not need to install OpenSSL. If you use a Windows operating system, you must download and install the OpenSSL software package.

    Usage notes

    • After you configure a client CA certificate, you must close and reestablish the existing connections for SSL to take effect.

    • When you configure a client CA certificate, modify the client certificate revocation list file, disable a client CA certificate, or disable the client certificate revocation list file, a transient connection occurs. We recommend that you perform the operations during off-peak hours.

    Step 1: Create a client certificate

    In this example, a Community Enterprise Operating System (CentOS) is used. If you use a Windows operating system, you can configure the openssl command in the same manner as you configure the command in the CentOS system.

    1. Create a self-signed certificate (ca1.crt) and a private key for the self-signed certificate (ca1.key). 

      openssl req -new -x509 -days 3650 -nodes -out ca1.crt -keyout ca1.key -subj "/CN=root-ca1"

    2. Create a client certificate signing request (client.csr) and a private key for the client certificate signing request (client.key). 

      openssl req -new -nodes -text -out client.csr -keyout client.key -subj "/CN=<Username of the client>"
      Note

      In the preceding command, set the common name (CN) parameter that follows the -subj parameter to the username of the account that is used by the database client to connect to the cluster.

    3. Create a client certificate (client.crt). 

      openssl x509 -req -in client.csr -text -days 365  -CA ca1.crt -CAkey ca1.key -CAcreateserial  -out client.crt

    After you complete the preceding configurations, run the ls command to view the generated files:

    # ls
ca1.crt  ca1.key  ca1.srl  client.crt  client.csr  client.key

    Four files are generated:

    1. client.crt: the client certificate.

    2. client.key: the private key for the client certificate.

    3. ca1.crt: the self-signed certificate.

    4. ca1.key: the private key for the self-signed certificate.

    Step 2: Configure a client CA certificate

    Note

    After you configure a client CA certificate, the status of the cluster changes to Modifying SSL. Wait until the status of the cluster changes to Running before you proceed. To configure a client CA certificate, perform the following steps:

    1. Log on to the PolarDB console.

    2. In the upper-left corner of the Clusters page, select the region in which the cluster that you want to manage is deployed.

    3. Find the cluster and click the cluster ID.

    4. In the left-side navigation pane, choose Settings and Management > Security.

    5. On the SSL Settings tab, select the primary or cluster endpoint on which you want to configure a client CA certificate, and then click Configure Client CA Certificate.

    6. In the Configure Client CA Certificate dialog box, set the Status parameter to On, copy the content of the self-signed certificate (ca1.crt) to the box, and then click OK.

      Note

      For information about how to obtain the self-signed certificate, see Step 1: Create a client certificate.

      image.png

    Step 3: Connect to the cluster from a client

    You can connect to a PolarDB for PostgreSQL (Compatible with Oracle) cluster over SSL. For more information, see Connect to a PolarDB for PostgreSQL (Compatible with Oracle) cluster over SSL.

    Step 4: (Optional) Configure a client certificate revocation list file

    You can revoke a client certificate that you no longer require. After you revoke a client certificate, the corresponding client cannot access the cluster.

    Note

    After you configure a client certificate revocation list file, the running status of the cluster changes to Modifying SSL. Wait until the running status of the cluster changes to Running before you proceed. To configure the client certificate revocation list file, perform the following steps:

    1. Create the configuration file. 

      touch /etc/pki/CA/index.txt
echo 1000 > /etc/pki/CA/crlnumber
      Note

      If you use a Windows operating system, perform the following steps:

      1. Create a CA folder in the OpenSSL installation directory \bin.

      2. Create a file named index.txt in the CA folder.

      3. Run the following commands in the CLI:

        echo 1000 > <OpenSSL installation directory>\bin\CA\crlnumber

      4. Modify the openssl.cnf file in the C:\Program Files\Common Files\SSL\ directory. 

        # Find the [ CA_default ] configuration item.

dir = "<OpenSSL installation directory>\\bin\\CA"

    2. Revoke the client certificate (client.crt). 

      openssl ca -revoke client.crt -cert ca1.crt -keyfile ca1.key
      Note

      The preceding command requires the self-signed certificate (ca1.crt) and the private key of the self-signed certificate (ca1.key). For information about how to obtain the files, see Step 1: Create a client certificate.

    3. Create a client certificate revocation list file (client.crl). 

      openssl ca -gencrl -out client.crl -cert ca.crt -keyfile ca.key

    4. Choose Setting and Management > Security. On the SSL Settings tab, select the primary or cluster endpoint on which you want to configure a client certificate revocation list file, and then click Configure Revocation File of Client.

    5. In the Configure Revocation File of Client dialog box, set the Status parameter to On, copy the content of the certificate revocation list file (client.crl) to the dialog box, and then click OK.

      image.png

    Step 5: (Optional) Disable the client CA certificate

    Note

    After you disable the client CA certificate, the status of the cluster changes to Modifying SSL. Wait until the status of the cluster changes to Running before you proceed.

    If you want to disable the client CA certificate on a primary or cluster endpoint, go to the SSL Settings page, find the primary or cluster endpoint, and then click Configure Client CA Certificate. In the Configure Client CA Certificate dialog box, click Disable, and then click OK.

    image.png

    Step 6: (Optional) Disable the client certificate revocation list file

    Note

    After you disable the client certificate revocation list file, the status of the cluster changes to Modifying SSL. Wait until the status changes to Running before you proceed.

    If you want to disable the client certificate revocation list file on a primary or cluster endpoint, go to the SSL Settings page, find the primary or cluster endpoint, and then click Configure Revocation File of Client. In the Configure Revocation File of Client dialog box, click Disable, and then click OK.

    image.png