All Products
Search

This Product

    ApsaraDB RDS:Use a custom certificate to enable SSL encryption

    Document Center

    ApsaraDB RDS:Use a custom certificate to enable SSL encryption

    Last Updated:Feb 27, 2025

    This topic explains how to configure SSL encryption for ApsaraDB RDS for MySQL using a custom certificate, as opposed to certificates managed by Alibaba Cloud.

    Prerequisites

    • OpenSSL is installed.

    • The SSL encryption feature is compatible with the following RDS MySQL instance editions and versions:

      • High-availability Edition: MySQL 8.0, MySQL 5.7, MySQL 5.6

      • Cluster Edition: MySQL 8.0, MySQL 5.7

      • Basic Edition: MySQL 8.0, MySQL 5.7

    • The force SSL encryption feature requires the following RDS MySQL instance versions:

      • Database major version: MySQL 8.0, MySQL 5.7

      • Product editions: Basic Edition, High-availability Edition, and Cluster Edition

      • Kernel minor version is 20241130 or higher

    Note

    • To utilize the force SSL encryption feature, you can submit a or ticket to have your Alibaba Cloud account added to the whitelist.

    • If you are using Linux, OpenSSL is preinstalled and does not require reinstallation.

    • For Windows users, you must download and install the OpenSSL package.

    Notes

    • Enabling SSL encryption increases CPU utilization and read/write latencies.

    • You must close existing connections and establish new ones for SSL encryption to take effect after enabling it.

    • Configuring or modifying a custom certificate, or disabling SSL encryption, will restart your RDS instance, which takes about 3 minutes. Schedule these operations during off-peak hours.

    • Once force SSL encryption is enabled, ApsaraDB RDS for MySQL will only accept SSL-encrypted connections from clients or database proxies. Non-encrypted connections will be rejected.

    How to configure

    Step 1: obtain a custom certificate

    Warning

    Do not add a password to the private key when creating a server certificate or a self-signed certificate. SSL encryption cannot be enabled if the private key is password-protected.

    The following instructions use CentOS as an example for generating a certificate.

    Note

    If you are using Windows as your operating system, the openssl command functions identically to the openssl command in CentOS. You should manually copy files instead of using the cp command and manually edit files rather than using the vim command.

    1. Generate a self-signed certificate and its private key. Save the certificate as server-ca.crt and the key as server-ca.key.

      openssl req -new -x509 -days 365 -nodes -out server-ca.crt -keyout server-ca.key -subj "/CN=root-ca"

    2. Create a server certificate signing request (CSR) and its private key. Save the CSR as server.csr and the key as server.key.

      To protect a single endpoint with a custom certificate, generate the CSR file as follows:

      openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=rm-bpxxxxx.mysql.rds.aliyuncs.com"
      Note

      rm-bpxxxxx.mysql.rds.aliyuncs.com is an example endpoint. Replace it with the actual endpoint you want to protect. For more information, see the referenced document.

      During the creation of the server.csr file, configure the parameters as needed. The following table describes these parameters.

      Parameter

      Description

      Example

      Country Name

      The code of the country. Specify a two-letter country code defined by the International Organization for Standardization (ISO).

      CN

      State or Province Name

      The province.

      ZheJiang

      Locality Name

      The city.

      HangZhou

      Organization Name

      The name of the enterprise that purchases the cluster.

      Alibaba

      Organizational Unit Name

      The department.

      Aliyun

      Common Name

      The domain name from which the request for an SSL certificate originates. The domain name is specified in the openssl.cnf file. You do not need to configure this parameter.

      -

      Email Address

      You do not need to configure this parameter.

      -

      A challenge password

      You do not need to configure this parameter.

      -

      An optional company name

      You do not need to configure this parameter.

      -

    3. Generate the server certificate and save it as server.crt.

      • To protect an endpoint, execute the following command:

        openssl x509 -req -in server.csr -text -days 365 -CA server-ca.crt -CAkey server-ca.key -CAcreateserial  -out server.crt

    Verify the generated files by running the ls command:

    # ls
server-ca.crt  server-ca.key  ca.srl  server.crt  server.csr  server.key

    The files are as follows:

    • server.crt: the server certificate.

    • server.key: the private key for the server certificate.

    • server-ca.crt: the self-signed certificate.

    • server-ca.key: the private key of the self-signed certificate.

    Step 2: Use a custom certificate to enable SSL encryption

    Note

    After configuring a custom certificate, the Running Status of the instance will show Modifying SSL for three minutes. Wait until the status changes to Running before proceeding with further operations.

    1. Navigate to the RDS instance list, select a region at the top, and then click the ID of the destination instance.

    2. Navigate to the Data Security > SSL page.

    3. Change the certificate source to Use A Custom Certificate. Click the switch next to Disabled, enter the Server Certificate and Private Key Of The Server Certificate, decide whether to Enable SSL encryption, and then click OK to finalize the configuration.

      Parameter

      Value

      Server certificate

      Enter the content of the server.crt file that you obtained in Step 1: Obtain a custom certificate. Enter the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, including the BEGIN and END parts.

      Private key of the server certificate

      Enter the content of the server.key file that you obtained in Step 1: Obtain a custom certificate. Enter the content between -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----, including the BEGIN and END parts.

      Enable

      Enable or disable SSL encryption based on your business requirements.

      • Only instances that run MySQL 5.7 and have a kernel minor version greater than or equal to 20241130 support force SSL encryption.

      • After you enable force SSL encryption, only SSL-encrypted connections are allowed when a client or database proxy connects to ApsaraDB RDS for MySQL. Non-encrypted connections are rejected.

    Step 3: connect to the database from a client

    ApsaraDB RDS for MySQL supports remote SSL connections. For details, see SSL connection to ApsaraDB RDS for MySQL.

    Step 4: (optional) update the certificate

    Note

    Updating a custom certificate will restart your RDS instance unless you are using MySQL 8.0. Proceed with caution.

    To update the certificate, click the update SSL button on the SSL page and enter the new server certificate and private key.

    Step 5: (optional) disable SSL encryption

    Important

    Disabling SSL encryption will restart your RDS instance. Proceed with caution.

    To disable SSL encryption, click the button next to SSL on the Enabled page.

    FAQ

    Q: What should I do if a custom certificate expires?

    A: Custom certificates in ApsaraDB RDS for MySQL have user-defined validity periods. You will receive a notification before the certificate expires. Upon receiving this notification, it is recommended to update the certificate's validity period promptly to avoid any disruption to your services.