|
| 1 | +--- |
| 2 | +pcx_content_type: concept |
| 3 | +title: SSL/TLS certificates |
| 4 | +sidebar: |
| 5 | + order: 6 |
| 6 | + badge: |
| 7 | + text: Beta |
| 8 | +--- |
| 9 | + |
| 10 | +import { TabItem, Tabs, Render, WranglerConfig } from "~/components"; |
| 11 | + |
| 12 | +Hyperdrive provides additional ways to secure connectivity to your database. Hyperdrive supports: |
| 13 | + |
| 14 | +1. **Server certificates** for TLS (SSL) modes such as `verify-ca` and `verify-full` for increased security. When configured, Hyperdrive will verify that the certificates have been signed by the expected certificate authority (CA) to avoid man-in-the-middle attacks. |
| 15 | +2. **Client certificates** for Hyperdrive to authenticate itself to your database with credentials beyond beyond username/password. To properly use client certificates, your database must be configured to verify the client certificates provided by a client, such as Hyperdrive, to allow access to the database. |
| 16 | + |
| 17 | +Hyperdrive can be configured to use only server certificates, only client certificates, or both depending on your security requirements and database configurations. |
| 18 | + |
| 19 | +:::note |
| 20 | + |
| 21 | +Support for server certificates and client certificates is not available for MySQL (beta). Support for server certificates and client certificates is only available for local development using `npx wrangler dev --remote` which runs your Workers and Hyperdrive in Cloudflare's network with local debugging. |
| 22 | + |
| 23 | +::: |
| 24 | + |
| 25 | +## Server certificates (TLS/SSL modes) |
| 26 | + |
| 27 | +Hyperdrive supports 3 common encryption [TLS/SSL modes](https://www.postgresql.org/docs/current/libpq-ssl.html) to connect to your database: |
| 28 | + |
| 29 | +- `require` (default): TLS is required for encrypted connectivity and server certificates are validated (based on WebPKI). |
| 30 | +- `verify-ca`: Hyperdrive will verify that the database server is trustworthy by verifying that the certificates of the server have been signed by the expected root certificate authority or intermediate certificate authority. |
| 31 | +- `verify-full`: Identical to `verify-ca`, but Hyperdrive also requires the database hostname to match a Subject Alternative Name (SAN) present on the certificate. |
| 32 | + |
| 33 | +By default, all Hyperdrive configurations are encrypted with SSL/TLS (`require`). This requires your database to be configured to accept encrypted connections (with SSL/TLS). |
| 34 | + |
| 35 | +You can configure Hyperdrive to use `verify-ca` and `verify-full` for a more stringent security configuration, which provide additional verification checks of the server's certificates. This helps guard against man-in-the-middle attacks. |
| 36 | + |
| 37 | +To configure Hyperdrive to verify the certificates of the server, you must provide Hyperdrive with the certificate of the root certificate authority (CA) or an intermediate certificate which has been used to sign the certificate of your database. |
| 38 | + |
| 39 | +### Step 1: Upload your the root certificate authority (CA) certificate |
| 40 | + |
| 41 | +Using Wrangler, you can upload your root certificate authority (CA) certificate: |
| 42 | + |
| 43 | +```bash |
| 44 | +# requires Wrangler 4.9.0 or greater |
| 45 | +npx wrangler cert upload certificate-authority --ca-cert \<ROUTE_TO_CA_PEM_FILE\>.pem --name \<CUSTOM_NAME_FOR_CA_CERT\> |
| 46 | + |
| 47 | +--- |
| 48 | + |
| 49 | +Uploading CA Certificate tmp-cert... |
| 50 | +Success! Uploaded CA Certificate <CUSTOM_NAME_FOR_CA_CERT> |
| 51 | +ID: <YOUR_ID_FOR_THE_CA_CERTIFICATE> |
| 52 | +... |
| 53 | +``` |
| 54 | + |
| 55 | +:::note |
| 56 | + |
| 57 | +You must use the CA certificate bundle that is for your specific region. You can not use a CA certificate bundle that contains more than one CA certificate, such as a global bundle of CA certificates containing each region's certificate. |
| 58 | + |
| 59 | +::: |
| 60 | + |
| 61 | +### Step 2: Create your Hyperdrive configuration using the CA certificate and the SSL mode |
| 62 | + |
| 63 | +Once your CA certificate has been created, you can create a Hyperdrive configuration with the newly created certificates using either the dashboard or Wrangler. You must also specify the SSL mode of `verify-ca` or `verify-full` to use. |
| 64 | + |
| 65 | +<Tabs> |
| 66 | + |
| 67 | +<TabItem label="Wrangler"> |
| 68 | + |
| 69 | +Using Wrangler, enter the following command in your terminal to create a Hyperdrive configuration with the CA certificate and a `verify-full` SSL mode: |
| 70 | + |
| 71 | +```bash |
| 72 | +npx wrangler hyperdrive create <NAME_OF_HYPERDRIVE_CONFIG> --connection-string="postgres://user:password@HOSTNAME_OR_IP_ADDRESS:PORT/database_name" --ca-certificate-id <YOUR_CA_CERT_ID> --sslmode verify-full |
| 73 | +``` |
| 74 | +</TabItem> |
| 75 | + |
| 76 | +<TabItem label="Dashboard"> |
| 77 | + |
| 78 | +From the dashboard, follow these steps to create a Hyperdrive configuration with server certificates: |
| 79 | + |
| 80 | +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/?to=/:account/workers/hyperdrive), navigate to **Storage & Databases > Hyperdrive** and click **Create configuration**. |
| 81 | +2. Select **Server certificates**. |
| 82 | +3. Specify a SSL mode of **Verify CA** or **Verify full** |
| 83 | +4. Select the SSL certificate of the certificate authority (CA) of your database that you have previously uploaded with Wrangler. |
| 84 | + |
| 85 | +</TabItem> |
| 86 | + |
| 87 | +</Tabs> |
| 88 | + |
| 89 | + |
| 90 | + |
| 91 | +When creating the Hyperdrive configuration, Hyperdrive will attempt to connect to the database with the provided credentials. If the command provides successful results, you have properly configured your Hyperdrive configuration to verify the certificates provided by your database server. |
| 92 | + |
| 93 | +:::note |
| 94 | + |
| 95 | +Hyperdrive will attempt to connect to your database with the provided credentials to verify they are correct before creating a configuration. If you encounter an error when attempting to connect, refer to Hyperdrive's [troubleshooting documentation](/hyperdrive/observability/troubleshooting/) to debug possible causes. |
| 96 | + |
| 97 | +::: |
| 98 | + |
| 99 | +## Client certificates |
| 100 | + |
| 101 | +Your database can be configured to [verify a certificate provided by the client](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT), in this case, Hyperdrive. This serves as an additional factor to authenticate clients (in addition to the username and password). |
| 102 | + |
| 103 | +For the database server to be able to verify the client certificates, Hyperdrive must be configured to provide a certificate file (`client-cert.pem`) and a private key with which the certificate was generated (`private-key.pem`). |
| 104 | + |
| 105 | +### Step 1: Upload your client certificates (mTLS certificates) |
| 106 | + |
| 107 | +Upload your client certificates to be used by Hyperdrive using Wrangler: |
| 108 | + |
| 109 | +```bash |
| 110 | +# requires Wrangler 4.9.0 or greater |
| 111 | +npx wrangler cert upload mtls-certificate --cert client-cert.pem --key client-key.pem --name <CUSTOM_NAME_FOR_CLIENT_CERTIFICATE> |
| 112 | + |
| 113 | +--- |
| 114 | + |
| 115 | +Uploading client certificate <CUSTOM_NAME_FOR_CLIENT_CERTIFICATE>... |
| 116 | +Success! Uploaded client certificate <CUSTOM_NAME_FOR_CLIENT_CERTIFICATE> |
| 117 | +ID: <YOUR_ID_FOR_THE_CLIENT_CERTIFICATE_PAIR> |
| 118 | +... |
| 119 | +``` |
| 120 | + |
| 121 | +### Step 2: Create a Hyperdrive configuration |
| 122 | + |
| 123 | +You can now create a Hyperdrive configuration using the newly created client certificate bundle using the dashboard or Wrangler. |
| 124 | + |
| 125 | + |
| 126 | +<Tabs> |
| 127 | + |
| 128 | +<TabItem label="Wrangler"> |
| 129 | + |
| 130 | +Using Wrangler, enter the following command in your terminal to create a Hyperdrive configuration with using the client certificate pair: |
| 131 | + |
| 132 | +```bash |
| 133 | +npx wrangler hyperdrive create <NAME_OF_HYPERDRIVE_CONFIG> --connection-string="postgres://user:password@HOSTNAME_OR_IP_ADDRESS:PORT/database_name" --mtls-certificate-id <YOUR_CLIENT_CERT_PAIR_ID> |
| 134 | +``` |
| 135 | +</TabItem> |
| 136 | + |
| 137 | +<TabItem label="Dashboard"> |
| 138 | + |
| 139 | +From the dashboard, follow these steps to create a Hyperdrive configuration with server certificates: |
| 140 | + |
| 141 | +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/?to=/:account/workers/hyperdrive), navigate to **Storage & Databases > Hyperdrive** and click **Create configuration**. |
| 142 | +2. Select **Client certificates**. |
| 143 | +3. Select the SSL client certificate and private key pair for Hyperdrive to use during the connection setup with your database server. |
| 144 | + |
| 145 | +</TabItem> |
| 146 | + |
| 147 | +</Tabs> |
| 148 | + |
| 149 | + |
| 150 | +When Hyperdrive connects to your database, it will provide a client certificate signed with the private key to the database server. This allows the database server to confirm that the client, in this case Hyperdrive, has both the private key and the client certificate. By using client certificates, you can add an additional authentication layer for your database to ensures that only Hyperdrive can connect to it. |
| 151 | + |
| 152 | +:::note |
| 153 | + |
| 154 | +Hyperdrive will attempt to connect to your database with the provided credentials to verify they are correct before creating a configuration. If you encounter an error when attempting to connect, refer to Hyperdrive's [troubleshooting documentation](/hyperdrive/observability/troubleshooting/) to debug possible causes. |
| 155 | + |
| 156 | +::: |
0 commit comments