When you configure the SSL encryption feature for an ApsaraDB RDS for MySQL instance, you can use the certificates that are managed by Alibaba Cloud and custom certificates. This topic describes how to use a custom certificate to enable SSL encryption for your RDS instance.
Prerequisites
OpenSSL is installed.
Your RDS instance runs one of the following MySQL versions and RDS editions:
MySQL 8.0, MySQL 5.7, or MySQL 5.6 on RDS High-availability Edition
MySQL 8.0 or MySQL 5.7 on RDS Cluster Edition
MySQL 8.0 or MySQL 5.7 on RDS Basic Edition
If you use Linux, OpenSSL is preinstalled. You do not need to install OpenSSL again.
If you use Windows, you must obtain the OpenSSL package and install OpenSSL.
Usage notes
After SSL encryption is enabled, CPU utilization and the read and write latencies increase.
After SSL encryption is enabled, you must close the existing connection and establish a new connection for SSL encryption to take effect.
If you configure or modify a custom certificate or disable SSL encryption, your RDS instance is restarted. The restart requires approximately 3 minutes. We recommend that you perform the operations during off-peak hours.
Configuration process
Step 1: Obtain a custom certificate
When you create a private key for a server certificate or a self-signed certificate, do not add a password to the private key. If you add a password to the private key, SSL encryption cannot be enabled.
CentOS is used as an example to describe how to generate a certificate.
If you use a Windows operating system, you can run the following openssl commands in the same way that you use in a CentOS operating system. In addition, you must manually copy or edit commands instead of using the cp and vim commands.
Create a self-signed certificate and a private key for the self-signed certificate. The self-signed certificate is saved in a file named server-ca.crt. The private key is saved in a file named server-ca.key.
openssl req -new -x509 -days 365 -nodes -out server-ca.crt -keyout server-ca.key -subj "/CN=root-ca"Create a certificate signing request (CSR) file and a private key for the server certificate. The CSR file is named server.csr. The private key is saved in a file named server.key.
You can use a custom certificate to protect only one endpoint. You can run the following command to generate the CSR file based on your business requirements:
openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=rm-bpxxxxx.mysql.rds.aliyuncs.com"NoteReplace
rm-bpxxxxx.mysql.rds.aliyuncs.comwith the endpoint that you want to protect. For more information about how to view the endpoint, see View and manage instance endpoints and ports.When the server.csr file is being created, you are prompted to configure the parameters based on your business requirements. The following table describes the parameters.
Parameter
Description
Example value
Country Name
The code of the country. Specify a two-letter country code defined by the International Organization for Standardization (ISO).
CN
State or Province Name
The province.
ZheJiang
Locality Name
The city.
HangZhou
Organization Name
The name of the enterprise.
Alibaba
Organizational Unit Name
The name of the department.
Aliyun
Common Name
The domain name that you want to protect by using the certificate. The domain name is specified in the openssl.cnf file. You do not need to configure this parameter.
-
Email Address
You do not need to configure this parameter.
-
A challenge password
You do not need to configure this parameter.
-
An optional company name
You do not need to configure this parameter.
-
Create a server certificate. The server certificate is saved in a file named server.crt.
If you want to protect an endpoint, run the following command:
openssl x509 -req -in server.csr -text -days 365 -CA server-ca.crt -CAkey server-ca.key -CAcreateserial -out server.crt
After the configurations are complete, run the ls command to view the generated files:
# ls
server-ca.crt server-ca.key ca.srl server.crt server.csr server.keyThe following list describes the files:
server.crt: the file that contains the server certificate
server.key: the file that contains the private key of the server certificate
server-ca.crt: the file that contains the self-signed certificate
server-ca.key: the file that contains the private key of the self-signed certificate
Step 2: Configure a custom certificate to enable SSL encryption
After you configure a custom certificate, the status of the RDS instance changes to Modifying SSL Settings. The RDS instance stays in the state for 3 minutes. Wait until the RDS instance enters the Running state before you proceed with subsequent operations.
Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region in which your RDS instance resides, find the RDS instance, and then click the instance ID.
In the left-side navigation pane of the page that appears, click Data Security. On the page that appears, click the SSL tab.
Click Custom Certificate. Then, click the switch next to Disabled. In the dialog box that appears, configure the Server Certificate and Private Key of Server Certificate parameters and click OK.
Parameter
Description
Server Certificate
Enter the content of the server.crt file that you created. For more information, see Step 1: Create a custom certificate. Make sure that all the content from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- is copied to this field.
Private Key of Server Certificate
Enter the content of the server.key file that you created. For more information, see Step 1: Create a custom certificate. Make sure that all the content from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY----- is copied to this field.
Step 3: Connect to the RDS instance from a client
You can connect to the RDS instance over SSL. For more information, see Connect to an ApsaraDB RDS for MySQL instance over SSL.
Step 4: (Optional) Update the created custom certificate
If you update a custom certificate, your RDS instance is restarted unless you use MySQL 8.0. Proceed with caution.
If you want to update the custom certificate, click Update SSL on the SSL tab. In the dialog box that appears, configure the Server Certificate and Private Key of Server Certificate parameters.
Step 5: (Optional) Disable SSL encryption
This operation triggers a restart of your RDS instance. Proceed with caution.
If you want to disable SSL encryption, click the switch next to Enabled on the SSL tab.
FAQ
What do I do if a custom certificate expires?
The validity period of a custom certificate in ApsaraDB RDS for MySQL is user-defined. The system sends a notification before the certificate expires. After you receive the notification, we recommend that you update the validity period of the certificate at the earliest opportunity to prevent impacts on your workloads.