All Products
Search

This Product

    ApsaraDB RDS:Configure SSL encryption for a database proxy endpoint

    Document Center

    ApsaraDB RDS:Configure SSL encryption for a database proxy endpoint

    Last Updated:Mar 28, 2026

    RDS for MySQL supports Secure Sockets Layer (SSL) encryption for database proxy endpoints. Enable SSL on a proxy endpoint and install the CA certificate in your application to secure connections at the transport layer. SSL improves data security and integrity in transit but increases response time.

    Important

    The following operations restart your proxy instance. Schedule them during a maintenance window:

    • Enabling SSL encryption

    • Disabling SSL encryption

    • Changing the protected endpoint

    • Updating the certificate validity period

    Prerequisites

    Before you begin, make sure you have:

    • A supported MySQL version:

      • MySQL 8.0 on RDS High-availability Edition with a minor engine version of 20200831 or later

      • MySQL 8.0 Cluster Edition

      • MySQL 5.7 Cluster Edition

      • MySQL 5.7 on RDS High-availability Edition with a minor engine version of 20200831 or later

      • MySQL 5.6 on RDS High-availability Edition with a minor engine version of 20200831 or later

      If your RDS instance has read-only instances, those instances must also meet the minor engine version requirements.

    • The database proxy feature enabled. For more information, see Enable the database proxy feature.

    • A PolarProxy minor engine version of 2.25.3 or later

    • A database proxy endpoint whose total length does not exceed 64 characters

    Limits

    SSL encryption can be configured for only one database proxy endpoint per proxy instance.

    Enable SSL encryption

    Important

    This operation restarts your proxy instance. Proceed with caution.

    1. Go to the RDS Instances page. In the top navigation bar, select the region where your RDS instance resides. Then click the instance ID.

    2. In the left navigation pane, click Database Proxy.

    3. In the Connection Information section, hover over the ID of the target database proxy endpoint. In the SSL Configuration section of the dialog box that appears, click Enable to the right of SSL Certificate.

    4. In the dialog box that appears, select the endpoint to encrypt and click OK.

    5. After the SSL status changes to Enabled, click Download CA Certificate to the right of SSL Certificate. The downloaded file is a compressed package containing the following certificate files:

      If you use the JKS certificate file with JDK 7 or JDK 8, update the following entries in jre/lib/security/java.security on the host where your application runs: `` jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ` Without this update, connections fail with: ` javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints ``
      File formatUse when
      PEMMost scenarios
      JKSJava applications. Import the PEM-formatted CA certificate into a truststore and convert it to JKS. The JKS file password is apsaradb.
      P7BWindows applications that require PKCS #7 certificate files

    Configure the SSL CA certificate

    After you download the CA certificate, configure it in your application. After you configure the SSL CA certificate, you can verify the database server certificate. For more information, see Configure a CA certificate.

    Change the protected endpoint

    Important

    This operation updates the certificate validity period and restarts your proxy instance. Proceed with caution.

    1. Go to the Instances page. In the top navigation bar, select the region where your RDS instance resides. Find the instance and click its ID.

    2. In the left navigation pane, click Database Proxy.

    3. In the Connection Information section, hover over the ID of the target database proxy endpoint. In the SSL Configuration section of the dialog box that appears, click Change Protected Endpoint below Protected Endpoint.

    4. Select the endpoint to encrypt and click OK.

    Update the certificate validity period

    Important

    This operation restarts your proxy instance. Proceed with caution.

    1. Go to the Instances page. In the top navigation bar, select the region where your RDS instance resides. Find the instance and click its ID.

    2. In the left navigation pane, click Database Proxy.

    3. In the Connection Information section, hover over the ID of the target database proxy endpoint. In the SSL Configuration section of the dialog box that appears, click Update Expiration Time to the right of SSL Certificate. In the dialog box that appears, click OK.

    Disable SSL encryption

    Important

    This operation restarts your proxy instance. Proceed with caution.

    1. Go to the Instances page. In the top navigation bar, select the region where your RDS instance resides. Find the instance and click its ID.

    2. In the left navigation pane, click Database Proxy.

    3. In the Connection Information section, hover over the ID of the target database proxy endpoint. In the SSL Configuration section of the dialog box that appears, click Disable to the right of SSL Certificate. In the dialog box that appears, click OK.

    API reference

    APIDescription
    ModifyDbProxyInstanceSslConfigures SSL encryption for a database proxy endpoint
    GetDbProxyInstanceSslQueries SSL encryption settings for a database proxy endpoint

    What's next