When you configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance, you can use either an Alibaba Cloud-managed certificate or a custom certificate. This topic describes how to use a custom certificate.
Prerequisites
-
The ApsaraDB RDS for PostgreSQL instance must run PostgreSQL 10 or later and use the cloud disk version.
NoteInstances that use the Serverless billing method are not supported.
-
OpenSSL is installed.
NoteOn Linux, OpenSSL is installed by default. On Windows, you must download and install an OpenSSL package.
Usage notes
-
Enabling SSL encryption increases CPU utilization and read/write latency.
-
After enabling SSL encryption, disconnect and reconnect existing connections for the encryption to take effect.
-
Configuring or updating a custom certificate, or disabling SSL encryption, restarts your database instance. This process takes about three minutes. We recommend that you perform these operations during off-peak hours.
Step 1: Obtain a custom certificate
When you generate the private key of a server certificate or a self-signed certificate, do not encrypt the private key with a password. Otherwise, you cannot enable SSL encryption.
This topic uses a CentOS system as an example. If you use a Windows operating system, the openssl command is the same as the openssl command on CentOS systems. Replace the cp command by manually copying the file, and replace the vim command by manually editing the file.
-
Create a self-signed certificate (server-ca.crt) and its private key (server-ca.key).
openssl req -new -x509 -days 365 -nodes -out server-ca.crt -keyout server-ca.key -subj "/CN=root-server-ca" -
Generate a certificate signing request (CSR) file (server.csr) and a server private key file (server.key).
A custom certificate can protect one or more endpoints. Choose the appropriate method below to generate the server CSR file.
-
To protect a single endpoint, run the following command.
openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=pgm-bpxxxxx.pg.rds.aliyuncs.com"NoteIn this example,
pgm-bpxxxxx.pg.rds.aliyuncs.comis an example endpoint. Replace it with the endpoint that you want to protect. To view the endpoint, see View or modify an endpoint and port. -
To protect multiple endpoints, perform the following steps.
-
Copy the OpenSSL configuration file for temporary use.
cp /etc/pki/tls/openssl.cnf /tmp/openssl.cnfNoteIf you use Windows, the openssl.cnf file is located in the \bin\cnf subdirectory of the OpenSSL installation directory. You can copy the file to any location.
-
Run the following command to edit the temporary openssl.cnf file:
vim /tmp/openssl.cnf -
Press
ito enter edit mode and configure the following content.# Add the following line to the end of the [ req ] section. req_extensions = v3_req # Add a new [ v3_req ] section. [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names # Add a new [ alt_names ] section and specify the database endpoints to protect after DNS. [ alt_names ] DNS.1 = pgm-bpxxxxx.pg.rds.aliyuncs.com DNS.2 = pgm-bpxxxxx.pg.rds.aliyuncs.com -
Press the
Esckey to exit edit mode. Then, enter:wqto save the changes and exit. -
Generate a server CSR file (server.csr) and a server private key file (server.key).
openssl req -new -nodes -text -out server.csr -keyout server.key -config /tmp/openssl.cnfWhen you generate the CSR file (server.csr), OpenSSL prompts you for the following parameters.
Parameter
Description
Example
Country name
The two-letter ISO country code.
CN
State or province name
The province or state.
Zhejiang
Locality name
The city.
Hangzhou
Organization name
The name of the company.
Alibaba
Organizational unit name
The name of the department.
Aliyun
Common name
The domain name for which you are requesting the SSL certificate. This is pre-configured in the openssl.cnf file and can be skipped.
-
Email address
Not required.
-
A challenge password
Not required.
-
An optional company name
Not required.
-
-
-
-
Generate the server certificate (server.crt).
-
If you want to protect a single endpoint, run the following command.
openssl x509 -req -in server.csr -text -days 365 -CA server-ca.crt -CAkey server-ca.key -CAcreateserial -out server.crt -
If you want to protect multiple endpoints, run the following command.
openssl x509 -req -in server.csr -text -days 365 -CA server-ca.crt -CAkey server-ca.key -CAcreateserial -out server.crt -extensions v3_req -extfile /tmp/openssl.cnf
-
Run the ls command to view the generated files:
# ls
server-ca.crt server-ca.key ca.srl server.crt server.csr server.key
Key files:
-
server.crt: The server certificate.
-
server.key: The server private key.
-
server-ca.crt: The self-signed certificate.
-
server-ca.key: The private key of the self-signed certificate.
Step 2: Enable SSL with a custom certificate
After you configure a custom certificate, the Status changes to Modifying SSL Settings for about three minutes. Wait until the status changes to Running before proceeding.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
-
On the left-side navigation pane, choose > SSL.
-
Set Custom Certificate to Custom Certificate. Next to Configure Database Certificate (to Prevent Database Disguise), click Configuration. Enter the server certificate and its private key, and then click OK.
Note: After you modify the server certificate, the system automatically updates it and restarts your database instance.
Parameter
Value
Server certificate
Paste the full content of the server.crt file that you obtained in Step 1: Obtain a custom certificate, including everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----.
Server certificate private key
Paste the full content of the server.key file that you obtained in Step 1: Obtain a custom certificate, including everything from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY-----.
If you specified multiple endpoints for the certificate, multiple records are displayed under Protected Host. The page also shows other details, such as the validity period, and provides options to View Certificate Details and View Private Key Details. To update the certificate, click Modify.
Step 3: Connect to the database
ApsaraDB RDS for PostgreSQL supports SSL connections from remote clients. See Connect to an ApsaraDB RDS for PostgreSQL instance over SSL for connection instructions.
Step 4: (Optional) Update the certificate
Updating the certificate restarts the instance. Proceed with caution.
On the SSL page, in the Configure Database Certificate (to Prevent Database Disguise) section, click Modify . Then, enter the new server certificate and private key.
Step 5: (Optional) Disable SSL encryption
Disabling SSL encryption restarts the instance. Proceed with caution.
To disable SSL encryption, on the SSL page, click Disable SSL.