corrections

thomasgauvin · thomasgauvin · commit 251e67143f58 · 2025-04-08T10:29:00.000-04:00
diff --git a/src/content/docs/hyperdrive/configuration/custom-certificates-for-hyperdrive.mdx b/src/content/docs/hyperdrive/configuration/custom-certificates-for-hyperdrive.mdx
diff --git a/src/content/docs/hyperdrive/configuration/tls-ssl-certificates-for-hyperdrive.mdx b/src/content/docs/hyperdrive/configuration/tls-ssl-certificates-for-hyperdrive.mdx
@@ -0,0 +1,109 @@
+---
+pcx_content_type: concept
+title: SSL/TLS certificates
+sidebar:
+  order: 6
+  badge:
+    text: Beta
+---
+
+import { TabItem, Tabs, Render, WranglerConfig } from "~/components";
+
+Hyperdrive provides additional ways to secure connectivity to your database. Hyperdrive supports
+verification of server certificates for TLS (SSL) encryption for increased security. Hyperdrive also supports
+using client certificates to authenticate itself to your database for stricter authentication beyond username/password.
+
+:::note
+
+Support for server certificates and client certificates is not available for MySQL (beta).
+
+:::
+
+## Server certificates (TLS/SSL modes)
+
+Hyperdrive supports 3 common encryption [TLS/SSL modes](https://www.postgresql.org/docs/current/libpq-ssl.html) to connect to your database:
+
+- `require` (default): TLS is required for encrypted connectivity and server certificates are validated (based on WebPKI).
+- `verify-ca`: Hyperdrive will verify that the database server is trustworthy by verifying that the certificates of the server have been signed by the expected root certificate authority or intermediate certificate authority.
+- `verify-full`: Identical to `verify-ca`, but Hyperdrive also requires the database hostname must match a Subject Alternative Name (SAN) present on the certificate.
+
+By default, all Hyperdrive configurations are encrypted with SSL/TLS (`require`). This requires
+that your database is configured to accept encrypted connections (with SSL/TLS).
+
+You can configure Hyperdrive to use
+`verify-ca` and `verify-full` for a more stringent security configuration, which
+provide additional verification checks of the server's certificates. This
+helps guard against man-in-the-middle attacks.
+
+To configure Hyperdrive to verify the certificates of the server, you must provide Hyperdrive with the certificate of the root certificate authority (CA) or an intermediate certificate which
+has been used to sign the certificate of your database.
+
+### Step 1: Upload your the root certificate authority (CA) certificate
+
+Using Wrangler, you can upload your root certificate authority (CA) certificate:
+
+```bash
+npx wrangler cert upload certificate-authority --ca-cert \<ROUTE_TO_CA_PEM_FILE\>.pem --name \<CUSTOM_NAME_FOR_CA_CERT\>
+
+---
+
+Uploading CA Certificate tmp-cert...
+Success! Uploaded CA Certificate \<CUSTOM_NAME_FOR_CA_CERT\>
+ID: \<YOUR_ID_FOR_THE_CA_CERTIFICATE\>
+...
+```
+
+### Step 2: Create your Hyperdrive configuration using the CA certificate and the SSL mode
+
+Once your CA certificate has been created, you can create a Hyperdrive configuration with the newly created
+certificates using either the dashboard or Wrangler. You must also specify the SSL mode of `verify-ca` or `verify-full` to use.
+
+Using Wrangler, enter the following command in your terminal:
+
+UPDATE WRANGLER
+
+```bash
+npx wrangler hyperdrive create \<NAME_OF_HYPERDRIVE_CONFIG\> --connection-string="postgres://user:password@HOSTNAME_OR_IP_ADDRESS:PORT/database_name" --certificate-authority-id \<YOUR_CA_CERT_ID\>
+```
+
+When creating the Hyperdrive configuration, Hyperdrive will attempt to connect to the database with the
+provided credentials. If the command provides successful results, you have properly configured your Hyperdrive
+configuration to verify the certificates provided by your database server.
+
+:::note
+
+Hyperdrive will attempt to connect to your database with the provided credentials to verify they are correct before creating a configuration. If you encounter an error when attempting to connect, refer to Hyperdrive's [troubleshooting documentation](/hyperdrive/observability/troubleshooting/) to debug possible causes.
+
+:::
+
+## Client certificates
+
+Your database can be configured to [verify a certificate provided by the client](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT), in this case, Hyperdrive. This serves
+as an additional factor to authenticate clients (in addition to the username and password).
+
+For the database server to be able to verify the client certificates, Hyperdrive must be configured to provide a certificate
+file (`client-cert.pem`) and a private key with which the certificate was generated (`private-key.pem`).
+
+### Step 1: Upload your client certificates (mTLS certificates)
+
+Upload your client certificates to be used by Hyperdrive using Wrangler:
+
+```bash
+npx wrangler cert upload mtls-certificate --cert client-cert.pem --key client-key.pem --name <CUSTOM_NAME_FOR_CLIENT_CERTIFICATE>
+
+---
+
+Uploading client certificate <CUSTOM_NAME_FOR_CLIENT_CERTIFICATE>...
+Success! Uploaded client certificate <CUSTOM_NAME_FOR_CLIENT_CERTIFICATE>
+ID: <YOUR_ID_FOR_THE_CLIENT_CERTIFICATE_PAIR>
+...
+```
+
+### Step 2: Create a Hyperdrive configuration
+
+You can now create a Hyperdrive configuration using the newly created client certificate bundle using the dashboard or Wrangler.
+Using Wrangler, run the following command:
+
+```bash
+npx wrangler hyperdrive create <NAME_OF_HYPERDRIVE_CONFIG> --connection-string="postgres://user:password@HOSTNAME_OR_IP_ADDRESS:PORT/database_name" --certificate-authority-id <YOUR_CA_CERT_ID> --mtls-certificate-uuid <YOUR_CLIENT_CERT_PAIR_ID>
+```
diff --git a/src/content/docs/hyperdrive/examples/connect-to-postgres/index.mdx b/src/content/docs/hyperdrive/examples/connect-to-postgres/index.mdx
@@ -72,24 +72,6 @@ Other drivers and ORMs not listed may also be supported: this list is not exhaus
 
 <Render file="nodejs_compat" product="workers" />
 
-## Supported TLS (SSL) modes
-
-Hyperdrive supports the following [PostgreSQL TLS (SSL)](https://www.postgresql.org/docs/current/libpq-ssl.html) connection modes when connecting to your origin database:
-
-| Mode          | Supported                       | Details                                                                                                                                   |
-| ------------- | ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| `none`        | No                              | Hyperdrive does not support insecure plain text connections.                                                                              |
-| `prefer`      | No (use `require`)              | Hyperdrive will always use TLS.                                                                                                           |
-| `require`     | Yes (default)                   | TLS is required, and server certificates are validated (based on WebPKI).                                                                 |
-| `verify-ca`   | Not currently supported in beta | Verifies the server's TLS certificate is signed by a root CA on the client. This ensures the server has a certificate the client trusts.  |
-| `verify-full` | Not currently supported in beta | Identical to `verify-ca`, but also requires the database hostname must match a Subject Alternative Name (SAN) present on the certificate. |
-
-:::caution
-
-Hyperdrive does not currently support uploading client CA certificates. In the future, you will be able to provide the client CA to Hyperdrive as part of your database configuration.
-
-:::
-
 ## Driver examples
 
 The following examples show you how to:
diff --git a/src/content/docs/hyperdrive/reference/supported-databases.mdx b/src/content/docs/hyperdrive/reference/supported-databases.mdx
@@ -0,0 +1,49 @@
+---
+pcx_content_type: concept
+title: Supported databases
+sidebar:
+  order: 2
+---
+
+## Database support
+
+Details on which database engines and/or specific database providers are supported are detailed in the following table.
+
+| Database Engine | Supported                | Known supported versions | Details                                                                                              |
+| --------------- | ------------------------ | ------------------------ | ---------------------------------------------------------------------------------------------------- |
+| PostgreSQL      | ✅                       | `9.0` to `16.x`          | Both self-hosted and managed (AWS, Google Cloud, Oracle) instances are supported.                    |
+| Neon            | ✅                       | All                      | Neon currently runs Postgres 15.x                                                                    |
+| Supabase        | ✅                       | All                      | Supabase currently runs Postgres 15.x                                                                |
+| Timescale       | ✅                       | All                      | See the [Timescale guide](/hyperdrive/examples/timescale/) to connect.                               |
+| Materialize     | ✅                       | All                      | Postgres-compatible. Refer to the [Materialize guide](/hyperdrive/examples/materialize/) to connect. |
+| CockroachDB     | ✅                       | All                      | Postgres-compatible. Refer to the [CockroachDB](/hyperdrive/examples/cockroachdb/) guide to connect. |
+| MySQL           | Coming soon              |                          |                                                                                                      |
+| SQL Server      | Not currently supported. |                          |                                                                                                      |
+| MongoDB         | Not currently supported. |                          |                                                                                                      |
+
+## Supported PostgreSQL authentication modes
+
+Hyperdrive supports the following [authentication modes](https://www.postgresql.org/docs/current/auth-methods.html) for connecting to PostgreSQL databases:
+
+- Password Authentication (`md5`)
+- Password Authentication (`password`) (clear-text password)
+- SASL Authentication (`SCRAM-SHA-256`)
+
+## Supported TLS (SSL) modes
+
+Hyperdrive supports the following [PostgreSQL TLS (SSL)](https://www.postgresql.org/docs/current/libpq-ssl.html) connection modes when connecting to your origin database:
+
+| Mode          | Supported          | Details                                                                                                                                   |
+| ------------- | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- |
+| `none`        | No                 | Hyperdrive does not support insecure plain text connections.                                                                              |
+| `prefer`      | No (use `require`) | Hyperdrive will always use TLS.                                                                                                           |
+| `require`     | Yes (default)      | TLS is required, and server certificates are validated (based on WebPKI).                                                                 |
+| `verify-ca`   | Yes                | Verifies the server's TLS certificate is signed by a root CA on the client. This ensures the server has a certificate the client trusts.  |
+| `verify-full` | Yes                | Identical to `verify-ca`, but also requires the database hostname must match a Subject Alternative Name (SAN) present on the certificate. |
+
+Refer to [SSL/TLS certificates](/hyperdrive/configuration/tls-ssl-certificates-for-hyperdrive/) documentation for details on how to configure `verify-ca` or `verify-full` TLS (SSL) modes for Hyperdrive.
+:::note
+
+Hyperdrive support for `verify-ca` and `verify-full` is not available for MySQL (beta).
+
+:::
