Docs
tidb
Operation Guide
TiDBServerless
Certificate management

SSL Certificate Management

The SSL certificate management function can manage instance certificates.

Enter the Management Page

Find the corresponding instance on the product homepage, and click the “Details” button to enter the details page.

Add an SSL Certificate

Switch to the “Certificate Management” panel.

Adding a certificate supports USSL import, local upload, and manual input.

Certificate Format

UTiDB certificates support two upload methods, the first is local upload of certificate files, and the second is manual input of certificate text information.

Upload Locally

If you choose to upload the certificate file locally, you need to prepare the following files:

  • Required, the website’s certificate file (cer/crt/pem format), the text format of the file is as follows:
-----BEGIN MY CERTIFICATE-----
...
-----END MY CERTIFICATE-----
  • Required, the private key file (key file)

The text format of the file with the RSA digital signature algorithm is as follows:

-----BEGIN RSA PRIVATE KEY-----
... 
-----END RSA PRIVATE KEY-----

The text format of the file with the ECDSA digital signature algorithm is as follows, EC PARAMETERS is optional:

-----BEGIN EC PARAMETERS-----
... 
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
... 
-----END EC PRIVATE KEY-----
  • Optional, intermediate certificate, root certificate (certificate chain, cer/crt/pem format), the text format of the file is as follows:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The certificate you provide needs to remove password protection. When you upload a certificate or manually fill in a certificate, please make sure that the certificate format is correct. If the verification format is wrong, the addition of the certificate will be unsuccessful.

Manually Input Certificate

If you choose to manually input the certificate, the text needs to sequentially contain the following fields: private key, website certificate, intermediate certificate, root certificate, etc.

The format reference of the digital signature algorithm for RSA is as follows (please check the completeness of the certificate when copying):

-----BEGIN RSA PRIVATE KEY-----
... 
-----END RSA PRIVATE KEY-----
-----BEGIN MY CERTIFICATE-----
...
-----END MY CERTIFICATE-----
-----BEGIN MY CERTIFICATE-----
...
-----END MY CERTIFICATE-----

The format reference of the digital signature algorithm for ECDSA is as follows (please check the completeness of the certificate when copying):

-----BEGIN EC PRIVATE KEY-----
... 
-----END EC PRIVATE KEY-----
-----BEGIN MY CERTIFICATE-----
...
-----END MY CERTIFICATE-----
-----BEGIN MY CERTIFICATE-----
...
-----END MY CERTIFICATE-----

If your certificate is in other formats, it is recommended to use the openssl tool for format conversion.

DER to PEM:

Certificate conversion: openssl x509 -inform der -in certificate.cer -out certificate.pem

Private key conversion (RSA certificate): openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

Private key conversion (ECDSA certificate): openssl ec -inform DER -outform PEM -in privatekey.der -out privatekey.pem

Open SSL Configuration

After the certificate is uploaded, the SSL certificate configuration can be enabled in the list operation column. By default, SSL authentication is enabled for all users, and it takes effect for new connections.

After opening the SSL certificate configuration, you can view the currently used certificate in the certificate list.

Close SSL Configuration

Close the SSL certificate configuration, it takes effect for new connections.

Delete SSL Certificate

Deleting SSL certificates only supports unused certificates. Certificates in use must be closed or switched before they can be deleted.

View Certificate Details

Viewing the details of the USSL imported certificate will jump to the USSL details.

You can directly view the content of the locally uploaded and manually entered certificates.

Alarm notificationSecurity group