DOC-5494 RS: Added crdb-cli and REST API examples to enable TLS after Active-Active database creation

rrelledge · rrelledge · commit 84400f1d4c3d · 2025-08-06T16:13:08.000-05:00
diff --git a/content/operate/rs/security/encryption/tls/enable-tls.md b/content/operate/rs/security/encryption/tls/enable-tls.md
@@ -81,9 +81,14 @@ rladmin tune db < db:id | name > mtls_allow_outdated_certs enabled
 
 ## Enable TLS for Active-Active cluster connections
 
-You cannot enable or turn off TLS after the Active-Active database is created, but you can change the TLS configuration.
 
-To enable TLS for Active-Active cluster connections:
+You can enable TLS for Active-Active cluster connections when you create a database using the Cluster Manager UI, [`crdb-cli`]({{<relref "/operate/rs/references/cli-utilities/crdb-cli">}}), or the [REST API]({{<relref "/operate/rs/references/rest-api">}}).
+
+If you need to enable or turn off TLS after the Active-Active database is created, you must use [`crdb-cli`]({{<relref "/operate/rs/references/cli-utilities/crdb-cli">}}) or the [REST API]({{<relref "/operate/rs/references/rest-api">}}).
+
+### Enable TLS during database creation
+
+To enable TLS for Active-Active cluster connections using the Cluster Manager UI:
 
 1. During [database creation]({{<relref "/operate/rs/databases/active-active/create">}}), expand the **TLS** configuration section.
 
@@ -95,6 +100,44 @@ To enable TLS for Active-Active cluster connections:
 
 If you also want to require TLS for client connections, you must edit the Active-Active database configuration after creation. See [Enable TLS for client connections](#client) for instructions.
 
+### Enable TLS after database creation
+
+You can enable TLS for an existing Active-Active database using either `crdb-cli` or the REST API.
+
+{{< multitabs id="enable-tls-post-creation"
+tab1="CLI"
+tab2="REST API" >}}
+
+Run the following [`crdb-cli crdb update`]({{<relref "/operate/rs/references/cli-utilities/crdb-cli/crdb/update">}}) command:
+
+```sh
+crdb-cli crdb update --crdb-guid <guid> --encryption true
+```
+
+Replace `<guid>` with your Active-Active database's globally unique identifier.
+
+-tab-sep-
+
+To enable TLS for Active-Active cluster communication only:
+
+```sh
+curl -v -k -u <username>:<password> \
+  -H "Content-type: application/json" \
+  -d '{ "enforce_client_authentication": "disabled", "tls_mode": "replica_ssl" }' \
+  -X PUT https://<cluster-fqdn>:9443/v1/bdbs/<bdb-id>
+```
+
+To enable TLS for all communications (cluster and client):
+
+```sh
+curl -v -k -u <username>:<password> \
+  -H "Content-type: application/json" \
+  -d '{ "enforce_client_authentication": "disabled", "tls_mode": "enabled" }' \
+  -X PUT https://<cluster-fqdn>:9443/v1/bdbs/<bdb-id>
+```
+
+{{< /multitabs >}}
+
 ## Enable TLS for Replica Of cluster connections
 
 {{<embed-md "replica-of-tls-config.md">}}
