Database Encryption in Transit
Aptible Databases are configured to allow connecting with SSL. Where possible, they are also configured to require SSL to ensure data is encrypted in transit. See the documentation for your supported Database type for details on how it's configured.
Most supported database types use our wildcard
*.aptible.in certificate for SSL / TLS termination and most clients should be able to use the local trust store to verify the validity of this certificate without issue. Depending on your client, you may still need to enable an option for force verification. Please see your client documentation for further details.
Aptible CA Signed Certificates
While most Database types leverage the
*.aptible.in certificate as above, other types (MySQL and PostgreSQL) have ways of revealing the private key as the provided default
aptible user's permission set, so they cannot use this certificate without creating a security risk. In these cases, Deploy uses a Certificate Authority unique to each environment in order to a generate a server certificate for each of your databases.
The documentation for your supported Database type will specify if it uses such a certificate: currently this applies to MySQL and PostgreSQL databases only.
In order to perform certificate verification for these databases, you will need to provide the CA certificate to your client. To retrieve the CA certificate required to verify the server certificate for your database, use the
aptible environment:ca_cert command to retrieve the CA certificate for you environment(s).
Self Signed Certificates
MySQL and PostgreSQL Databases that have been running since prior to January 15th, 2021 do not have a certificate generated by the Aptible CA as outlined above, but instead have a self-signed certificate installed. If this is the case for your database, all you need to do to move to an Aptible CA signed certificate is restart your database.
Other Certificate Requirements
Contact Aptible Support if you have unique database server certificate constraints - we can accommodate installing a certificate that you provide if required.