All Products
Search

This Product

    PolarDB:Set up SSL encryption

    Document Center

    PolarDB:Set up SSL encryption

    Last Updated:Mar 30, 2026

    Unencrypted database connections expose data in transit to interception. SSL encryption secures connections at the transport layer between your applications and PolarDB-X, protecting data integrity and confidentiality. This topic covers how to enable SSL, download and configure the CA certificate, connect from clients, update the certificate before it expires, and change or disable SSL.

    Prerequisites

    Before you begin, ensure that you have:

    • A PolarDB-X instance running version 5.4.10 or later. To check your version, go to the Basic information page in the PolarDB-X console.

    Before you start

    Consideration Details
    Certificate validity SSL certificates are valid for one year. Before a certificate expires, update its validity period, then re-download and reconfigure it. Clients cannot connect over encrypted connections if the certificate has expired.
    CPU impact SSL encryption can significantly increase CPU utilization. Enable it only for public endpoint connections. Private endpoint connections are already secure in most cases and do not require SSL.
    Instance restarts Enabling, disabling, or reconfiguring SSL encryption restarts the instance. Perform these operations during off-peak hours and make sure your application can automatically reconnect.

    Enable SSL encryption

    1. Log on to the PolarDB for Xscale console.

    2. In the top navigation bar, select the region where the instance is located.

    3. On the Instances page, click the PolarDB-X 2.0 tab.

    4. Find the target instance and click its ID.

    5. In the left-side navigation pane, choose Configuration Management > Safety management.

    6. Click the SSL configuration tab.

    7. Turn on the SSL configuration switch.

      After you enable SSL, the SSL protected address defaults to the private endpoint. To encrypt public endpoint connections instead, see Change the protected endpoint for SSL encryption.

      SSL configuration switch

    8. In the confirmation dialog, click OK.

      Important

      Clicking OK restarts the instance. Perform this operation during off-peak hours and make sure your application can automatically reconnect.

    9. After SSL encryption is enabled, click Download CA certificate. The downloaded package contains three files:

      If you use the .jks file with Java Development Kit (JDK) 7 or JDK 8, update jre/lib/security/java.security on your application host with the following values: `` jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ` Without this change, you may see the following error, which is typically caused by invalid Java security configurations: ` javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints ``
      File Use case
      .p7b Import the SSL certificate to Windows systems
      .pem Import the SSL certificate to non-Windows systems and applications
      .jks Import the CA certificate chain to Java programs. The truststore password is apsaradb

    Configure SSL on your client or application

    After enabling SSL, configure the downloaded certificate in your client or application code.

    MySQL Workbench

    1. Start MySQL Workbench.

    2. Choose Database > Manage Connections.

    3. In the Use SSL drop-down list, select If available, then import the SSL certificate file.

    Navicat

    1. Start Navicat.

    2. Right-click the database connection and select Edit Connection.

      Edit Connection in Navicat

    3. Click the SSL tab and set the path to the .pem SSL certificate file.

      SSL tab in Navicat

    4. Click OK.

      If you see connection is being used, the previous session is still active. Restart Navicat and try again.

    5. Double-click the database to verify the connection.

      Verified connection in Navicat

    Update the SSL certificate validity period

    Important

    • Updating the certificate validity period restarts the instance. Perform this operation during off-peak hours and make sure your application can automatically reconnect.

    • After updating, re-download and reconfigure the SSL certificate.

    Update SSL certificate validity period

    Change the protected endpoint for SSL encryption

    1. Log on to the PolarDB for Xscale console.

    2. In the top navigation bar, select the region where the instance is located.

    3. On the Instances page, click the PolarDB-X 2.0 tab.

    4. Find the target instance and click its ID.

    5. In the left-side navigation pane, choose Configuration and Management > Safety management.

    6. Click the SSL configuration tab.

    7. Click Set SSL.

    8. In the dialog that appears, select the endpoint to encrypt.

    9. Click OK.

    Disable SSL encryption

    Disabling SSL encryption restarts the instance. Perform this operation during off-peak hours and make sure your application can automatically reconnect.
    Disabling SSL improves database performance but reduces security. Disable it only in secure environments.

    1. Log on to the PolarDB for Xscale console.

    2. In the top navigation bar, select the region where the instance is located.

    3. On the Instances page, click the PolarDB-X 2.0 tab.

    4. Find the target instance and click its ID.

    5. In the left-side navigation pane, choose Configuration and Management > Safety management.

    6. Click the SSL configuration tab.

    7. Turn off the SSL configuration switch.

      Disable SSL configuration

    8. In the confirmation dialog, click OK.