ApsaraDB RDS:Configure a custom certificate

Prerequisites

• The RDS instance runs PostgreSQL 10 or later and uses cloud disks.

  Note

  Serverless RDS instances are not supported.

• OpenSSL is installed.

  Note

  Linux operating systems are provided with OpenSSL. If you use a Linux operating system, you do not need to install OpenSSL. If you use a Windows operating system, you must download the OpenSSL software package and install OpenSSL. For more information, see the Win32/Win64 OpenSSL page.

Usage notes

• After SSL encryption is enabled, the CPU utilization and the read and write latencies increase.

• After SSL encryption is enabled, you must close the existing connection and establish a new connection to make SSL encryption take effect.

• When you configure a custom certificate, modify the content of the configured custom certificate, or disable SSL encryption, the RDS instance restarts. The restart process requires about 3 minutes. We recommend that you perform these operations during off-peak hours.

Step 1: Create a custom certificate

In this example, Community Enterprise Operating System (CentOS) is used. If you use a Windows operating system, you can run the following openssl commands in the same way that you use in a CentOS operating system. In addition, you must manually copy or edit commands instead of the cp and vim commands.

1. Create a self-signed certificate and a private key for the self-signed certificate. The self-signed certificate is saved in a file named server-ca.crt. The private key is saved in a file named server-ca.key.

   openssl req -new -x509 -days 365 -nodes -out server-ca.crt -keyout server-ca.key -subj "/CN=root-server-ca"

2. Create a certificate signing request (CSR) file and a private key for the server certificate. The CSR file is named server.csr. The private key is saved in a file named server.key.

   Each custom certificate can protect one or more endpoints. You can use one of the following methods to generate a CSR file:

   • If you want to protect a single endpoint, run the following command:

     openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=pgm-bpxxxxx.pg.rds.aliyuncs.com"

     Note

     Replace pgm-bpxxxxx.pg.rds.aliyuncs.com with the endpoint that you want to protect. For more information about how to view the endpoint, see View and change the endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance.

   • If you want to protect multiple endpoints, run the following command:

     1. Copy the openssl.cnf file for temporary use.

        cp /etc/pki/tls/openssl.cnf  /tmp/openssl.cnf

        Note

        If you use a Windows operating system, the openssl.cnf file is stored in the Installation directory of OpenSSL\bin\cnf directory. You can copy the openssl.cnf file to any other directory on your computer.

     2. Run the following command to open the openssl.cnf file:

        vim /tmp/openssl.cnf

     3. Enter i to enable the edit mode. Then, add the following content to the openssl.cnf file:

        # Add the following content at the end of the [ req ] element.
        req_extensions = v3_req
        
        # Add the [ v3_req ] element.
        [ v3_req ]
        basicConstraints = CA:FALSE
        keyUsage = nonRepudiation, digitalSignature, keyEncipherment
        subjectAltName = @alt_names
        
        # Add the [ alt_names ] element. Then, enter the endpoint that you want to protect following each Domain Name System (DNS) record.
        [ alt_names ]
        DNS.1 = pgm-bpxxxxx.pg.rds.aliyuncs.com
        DNS.2 = pgm-bpxxxxx.pg.rds.aliyuncs.com

     4. Press Esc to exit the edit mode. Then, enter :wq to save the file and exit.

     5. Create a certificate signing request (CSR) file and a private key for the server certificate. The CSR file is named server.csr. The private key is saved in a file named server.key.

        openssl req -new -nodes -text -out server.csr -keyout server.key -config /tmp/openssl.cnf

        When the server.csr file is being created, you are prompted to configure the following parameters based on your business requirements.

        Parameter	Description	Example value
        Country Name	The code of the country. Specify a two-letter country code defined by the International Organization for Standardization (ISO).	CN
        State or Province Name	The province.	ZheJiang
        Locality Name	The city.	HangZhou
        Organization Name	The name of the enterprise.	Alibaba
        Organizational Unit Name	The name of the department.	Aliyun
        Common Name	The domain name that you want to protect by using the certificate. The domain name is specified in the openssl.cnf file. You do not need to configure this parameter.	-
        Email Address	You do not need to configure this parameter.	-
        A challenge password	You do not need to configure this parameter.	-
        An optional company name	You do not need to configure this parameter.	-

3. Create a server certificate. The server certificate is saved in a file named server.crt.

   • If you want to protect a single endpoint, run the following command:

     openssl x509 -req -in server.csr -text -days 365 -CA server-ca.crt -CAkey server-ca.key -CAcreateserial  -out server.crt

   • If you want to protect multiple endpoints, run the following command:

     openssl x509 -req -in server.csr -text -days 365 -CA server-ca.crt -CAkey server-ca.key -CAcreateserial  -out server.crt -extensions v3_req -extfile /tmp/openssl.cnf

# ls
server-ca.crt  server-ca.key  ca.srl  server.crt  server.csr  server.key

Step 2: Use the created custom certificate to enable SSL encryption

1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

2. Log on to the ApsaraDB RDS console. Find the RDS instance and click the ID of the instance. In the left-side navigation pane, click Data Security. On the page that appears, click the SSL tab.

3. Set the Select Certificate Source parameter to Custom Certificate. Click Configuration next to Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, configure the Server Certificate and Private Key of Server Certificate parameters and click OK.

   

   Parameter	Description
   Server Certificate	The content of the server.crt file that you created. For more information, see Step 1: Create a custom certificate. Make sure that all the content from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- is copied to this field.
   Private Key of Server Certificate	The content of the server.key file that you created. For more information, see Step 1: Create a custom certificate. Make sure that all the content from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY----- is copied to this field.

   When you request a custom certificate, you can select multiple endpoints that you want to protect. If you select multiple endpoints, you can find multiple records in the Protected Host parameter.

Step 3: Connect to the RDS instance from the database client

You can connect to the RDS instance from a client over SSL. For more information, see Connect to an ApsaraDB RDS for PostgreSQL instance over SSL.

Step 4: (Optional) Update the created custom certificate

Step 5: (Optional) Disable SSL encryption