All Products
Search
Document Center

ApsaraDB RDS:Configure a custom certificate

Last Updated:Jun 20, 2026

When you configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance, you can use either an Alibaba Cloud-managed certificate or a custom certificate. This topic describes how to use a custom certificate.

Prerequisites

  • The ApsaraDB RDS for PostgreSQL instance must run PostgreSQL 10 or later and use the cloud disk version.

    Note

    Instances that use the Serverless billing method are not supported.

  • OpenSSL is installed.

    Note

    On Linux, OpenSSL is installed by default. On Windows, you must download and install an OpenSSL package.

Usage notes

  • Enabling SSL encryption increases CPU utilization and read/write latency.

  • After enabling SSL encryption, disconnect and reconnect existing connections for the encryption to take effect.

  • Configuring or updating a custom certificate, or disabling SSL encryption, restarts your database instance. This process takes about three minutes. We recommend that you perform these operations during off-peak hours.

Step 1: Obtain a custom certificate

Warning

When you generate the private key of a server certificate or a self-signed certificate, do not encrypt the private key with a password. Otherwise, you cannot enable SSL encryption.

This topic uses a CentOS system as an example. If you use a Windows operating system, the openssl command is the same as the openssl command on CentOS systems. Replace the cp command by manually copying the file, and replace the vim command by manually editing the file.

  1. Create a self-signed certificate (server-ca.crt) and its private key (server-ca.key).

    openssl req -new -x509 -days 365 -nodes -out server-ca.crt -keyout server-ca.key -subj "/CN=root-server-ca"
  2. Generate a certificate signing request (CSR) file (server.csr) and a server private key file (server.key).

    A custom certificate can protect one or more endpoints. Choose the appropriate method below to generate the server CSR file.

    • To protect a single endpoint, run the following command.

      openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=pgm-bpxxxxx.pg.rds.aliyuncs.com"
      Note

      In this example, pgm-bpxxxxx.pg.rds.aliyuncs.com is an example endpoint. Replace it with the endpoint that you want to protect. To view the endpoint, see View or modify an endpoint and port.

    • To protect multiple endpoints, perform the following steps.

      1. Copy the OpenSSL configuration file for temporary use.

        cp /etc/pki/tls/openssl.cnf  /tmp/openssl.cnf
        Note

        If you use Windows, the openssl.cnf file is located in the \bin\cnf subdirectory of the OpenSSL installation directory. You can copy the file to any location.

      2. Run the following command to edit the temporary openssl.cnf file:

        vim /tmp/openssl.cnf
      3. Press i to enter edit mode and configure the following content.

        # Add the following line to the end of the [ req ] section.
        req_extensions = v3_req
        # Add a new [ v3_req ] section.
        [ v3_req ]
        basicConstraints = CA:FALSE
        keyUsage = nonRepudiation, digitalSignature, keyEncipherment
        subjectAltName = @alt_names
        # Add a new [ alt_names ] section and specify the database endpoints to protect after DNS.
        [ alt_names ]
        DNS.1 = pgm-bpxxxxx.pg.rds.aliyuncs.com
        DNS.2 = pgm-bpxxxxx.pg.rds.aliyuncs.com
      4. Press the Esc key to exit edit mode. Then, enter :wq to save the changes and exit.

      5. Generate a server CSR file (server.csr) and a server private key file (server.key).

        openssl req -new -nodes -text -out server.csr -keyout server.key -config /tmp/openssl.cnf

        When you generate the CSR file (server.csr), OpenSSL prompts you for the following parameters.

        Parameter

        Description

        Example

        Country name

        The two-letter ISO country code.

        CN

        State or province name

        The province or state.

        Zhejiang

        Locality name

        The city.

        Hangzhou

        Organization name

        The name of the company.

        Alibaba

        Organizational unit name

        The name of the department.

        Aliyun

        Common name

        The domain name for which you are requesting the SSL certificate. This is pre-configured in the openssl.cnf file and can be skipped.

        -

        Email address

        Not required.

        -

        A challenge password

        Not required.

        -

        An optional company name

        Not required.

        -

  3. Generate the server certificate (server.crt).

    • If you want to protect a single endpoint, run the following command.

      openssl x509 -req -in server.csr -text -days 365 -CA server-ca.crt -CAkey server-ca.key -CAcreateserial  -out server.crt
    • If you want to protect multiple endpoints, run the following command.

      openssl x509 -req -in server.csr -text -days 365 -CA server-ca.crt -CAkey server-ca.key -CAcreateserial  -out server.crt -extensions v3_req -extfile /tmp/openssl.cnf

Run the ls command to view the generated files:

# ls
server-ca.crt  server-ca.key  ca.srl  server.crt  server.csr  server.key

Key files:

  • server.crt: The server certificate.

  • server.key: The server private key.

  • server-ca.crt: The self-signed certificate.

  • server-ca.key: The private key of the self-signed certificate.

Step 2: Enable SSL with a custom certificate

Note

After you configure a custom certificate, the Status changes to Modifying SSL Settings for about three minutes. Wait until the status changes to Running before proceeding.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. On the left-side navigation pane, choose Data Security > SSL.

  3. Set Custom Certificate to Custom Certificate. Next to Configure Database Certificate (to Prevent Database Disguise), click Configuration. Enter the server certificate and its private key, and then click OK.

    Note: After you modify the server certificate, the system automatically updates it and restarts your database instance.

    Parameter

    Value

    Server certificate

    Paste the full content of the server.crt file that you obtained in Step 1: Obtain a custom certificate, including everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----.

    Server certificate private key

    Paste the full content of the server.key file that you obtained in Step 1: Obtain a custom certificate, including everything from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY-----.

    If you specified multiple endpoints for the certificate, multiple records are displayed under Protected Host. The page also shows other details, such as the validity period, and provides options to View Certificate Details and View Private Key Details. To update the certificate, click Modify.

Step 3: Connect to the database

ApsaraDB RDS for PostgreSQL supports SSL connections from remote clients. See Connect to an ApsaraDB RDS for PostgreSQL instance over SSL for connection instructions.

Step 4: (Optional) Update the certificate

Note

Updating the certificate restarts the instance. Proceed with caution.

On the SSL page, in the Configure Database Certificate (to Prevent Database Disguise) section, click Modify . Then, enter the new server certificate and private key.

Step 5: (Optional) Disable SSL encryption

Note

Disabling SSL encryption restarts the instance. Proceed with caution.

To disable SSL encryption, on the SSL page, click Disable SSL.