Configure SSL encryption with a custom certificate for MySQL - ApsaraDB RDS

ApsaraDB RDS for MySQL supports both Alibaba Cloud-managed certificates and custom certificates for SSL encryption. This topic describes how to generate a custom certificate using OpenSSL and configure it on your RDS instance.

Prerequisites

Before you begin, ensure that you have:

OpenSSL installed
- Linux: OpenSSL is preinstalled. No action needed.
- Windows: Download and install OpenSSL from slproweb.com.
An RDS instance that meets the version requirements:
Edition Supported MySQL versions
RDS High-availability Edition MySQL 8.0, 5.7, or 5.6
RDS Cluster Edition MySQL 8.0 or 5.7
RDS Basic Edition MySQL 8.0 or 5.7
(Required for forceful SSL encryption only) The instance runs MySQL 5.7 or 8.0, on any of the above editions, with minor engine version 20241130 or later.

Edition	Supported MySQL versions
RDS High-availability Edition	MySQL 8.0, 5.7, or 5.6
RDS Cluster Edition	MySQL 8.0 or 5.7
RDS Basic Edition	MySQL 8.0 or 5.7

Usage notes

Enabling SSL increases CPU utilization and read and write latencies.
After enabling SSL, close existing connections and reconnect for encryption to take effect.
Configuring or modifying a custom certificate, or disabling SSL, triggers a restart of approximately 3 minutes. Perform these operations during off-peak hours.
When forceful SSL encryption is enabled, only SSL-encrypted connections are accepted. Non-SSL connections are denied.

Step 1: Generate a custom certificate

Warning

Do not add a password to the private key. A password-protected private key prevents SSL from being enabled.

The following commands use CentOS syntax. On Windows, run the same openssl commands, but copy files and edit content manually instead of using cp and vim.

Generate a self-signed CA certificate (server-ca.crt) and its private key (server-ca.key). The -days value sets the certificate validity period. Set this to match your rotation policy (for example, 365 days for annual renewal).
```
openssl req -new -x509 -days 365 -nodes -out server-ca.crt -keyout server-ca.key -subj "/CN=root-ca"
```

Generate a certificate signing request (CSR) (server.csr) and a server private key (server.key). Replace rm-bpxxxxx.mysql.rds.aliyuncs.com with the endpoint you want to protect. To find your endpoint, see View and manage instance endpoints and ports. A custom certificate protects a single endpoint.

Parameter	Description	Example
Country Name	Two-letter ISO country code	CN
State or Province Name	Province	ZheJiang
Locality Name	City	HangZhou
Organization Name	Enterprise name	Alibaba
Organizational Unit Name	Department name	Aliyun
Common Name	Defined in openssl.cnf; leave blank	—
Email Address	Leave blank	—
A challenge password	Leave blank	—
An optional company name	Leave blank	—

openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=rm-bpxxxxx.mysql.rds.aliyuncs.com"

When prompted, configure the optional Certificate Signing Request (CSR) fields:

Sign the CSR with the CA certificate to generate the server certificate (server.crt).

openssl x509 -req -in server.csr -text -days 365 -CA server-ca.crt -CAkey server-ca.key -CAcreateserial -out server.crt

Verify the generated files by running ls:
File Content
server.crt Server certificate
server.key Private key of the server certificate
server-ca.crt Self-signed CA certificate
server-ca.key Private key of the self-signed CA certificate
```
# ls
server-ca.crt  server-ca.key  ca.srl  server.crt  server.csr  server.key
```

File	Content
`server.crt`	Server certificate
`server.key`	Private key of the server certificate
`server-ca.crt`	Self-signed CA certificate
`server-ca.key`	Private key of the self-signed CA certificate

Step 2: Upload the certificate and enable SSL

After you configure the custom certificate, the instance status changes to Modifying SSL Settings for approximately 3 minutes. Wait until the status returns to Running before proceeding.

Log on to the ApsaraDB RDS console. On the Instances page, select the region where your instance resides, then click the instance ID.
In the left-side navigation pane, click Data Security. On the page that appears, click the SSL tab.
Click Custom Certificate, then click the switch next to Disabled.
In the dialog box that appears, configure the following parameters and click OK.

Step 3: Connect to the instance over SSL

You can connect to the RDS instance over SSL. For more information, see Connect to an ApsaraDB RDS for MySQL instance over SSL.

Step 4: (Optional) Update the custom certificate

Updating the certificate triggers a restart, except for MySQL 8.0. Perform this operation during off-peak hours.

On the SSL tab, click Update SSL. In the dialog box that appears, paste the updated content for Server Certificate and Private key of server certificate, then click OK.

Step 5: (Optional) Disable SSL encryption

Disabling SSL triggers a restart. Perform this operation during off-peak hours.

On the SSL tab, click the switch next to Enabled.

FAQ

What do I do if my custom certificate is about to expire?

The validity period of a custom certificate is defined by the -days value you set when generating it. The system sends a notification before expiry. When you receive the notification, we recommend that you update the validity period of the certificate at the earliest opportunity to prevent impacts on your workloads.