Skip to main content
This guide provides general information to help identify and update SSL certificates. Streamkap is not responsible for certificate management, database security configuration, or any issues arising from improper certificate handling.Always consult your database vendor’s official documentation and follow your organization’s security policies. Improper certificate management may result in service disruption or security vulnerabilities.
It’s possible that your database instance is using outdated or weak SSL certificates for encrypted connections. Your Sources and Destinations in Streamkap may be affected if they connect to databases with weak SSL certificates. In such cases, you may see connection errors or warnings in the Streamkap UI and logs indicating SSL/TLS issues or encryption algorithm problems, such as:
  • “Certificate verify failed”
  • “SSL handshake failed due to weak encryption algorithm”
  • “Certificates do not conform to algorithm constraints”

Before You Begin

Prerequisites

  1. Backup: Create backups of existing certificates and database configuration
  2. Downtime Planning: Schedule maintenance window for certificate updates
  3. Certificate Preparation: Ensure new certificates are ready:
    • Server certificate (.crt or .pem)
    • Private key (.key or .pem)
    • CA certificate chain (optional but recommended)
  4. Permission Check: Verify you have necessary permissions to modify database configuration

Common Certificate Types and Their Security

Key TypeKey SizeHash AlgorithmSecurity LevelRecommendation
RSA2048-bitSHA-256GoodAcceptable for most use cases
RSA4096-bitSHA-256StrongRecommended for high security
RSA1024-bitSHA-1WeakShould be upgraded
ECDSAP-256SHA-256GoodModern alternative to RSA
ECDSAP-384SHA-384StrongHigh security

PostgreSQL

Check certificate using openssl: 
openssl s_client -connect {hostname}:5432 -starttls postgres < /dev/null 2>/dev/null | openssl x509 -text -noout
Check certificate encryption using SQL: 
SHOW ssl;
SHOW ssl_cert_file;
SHOW ssl_key_file;
SHOW ssl_ca_file;
SELECT ssl, version, cipher, bits FROM pg_stat_ssl WHERE pid = pg_backend_pid();

Self-hosted PostgreSQL

Self-hosted PostgreSQL certificate documentation:

AWS RDS PostgreSQL

AWS RDS manages certificates, so typically no action is needed. PostgreSQL on AWS RDS certificate documentation:

Azure Database for PostgreSQL

Azure manages certificates, so typically no action is needed. Azure PostgreSQL certificate documentation:

Google Cloud SQL PostgreSQL

Google Cloud SQL manages certificates, so typically no action is needed. Cloud SQL PostgreSQL certificate documentation:

MySQL / MariaDB

Check certificate using openssl: 
openssl s_client -connect {hostname}:3306 -starttls mysql < /dev/null 2>/dev/null | openssl x509 -text -noout
Check certificate encryption using SQL: 
SHOW STATUS LIKE 'Ssl_cipher';

Self-hosted MySQL/MariaDB

Self-hosted MySQL/MariaDB certificate documentation:

AWS RDS MySQL/MariaDB

MySQL/MariaDB on AWS RDS manages certificates, so typically no action is needed. MySQL/MariaDB on AWS RDS certificate documentation:

Azure Database for MySQL

Azure manages certificates, so typically no action is needed. Azure MySQL certificate documentation:

Google Cloud SQL MySQL

Google Cloud SQL manages certificates, so typically no action is needed. Cloud SQL MySQL certificate documentation:

SQL Server

openssl does not work with SQL Server.
Check certificate using SQL Server Configuration Manager (Recommended):
  1. Open SQL Server Configuration Manager
  2. Expand SQL Server Network Configuration
  3. Right-click Protocols for [INSTANCE_NAME]Properties
  4. Navigate to Certificate tab
  5. View the selected certificate from dropdown
  6. Click View to see certificate details (issuer, expiration, key size, signature algorithm)
Check certificate using T-SQL: 
-- View certificate details (if using certificate-based authentication)
SELECT issuer_name, subject, expiry_date, key_length FROM sys.certificates;
Examine certificate from Windows Certificate Store: 
# View certificates in Local Computer store
Get-ChildItem -Path Cert:\LocalMachine\My | 
    Where-Object {$_.Subject -like "*your-server*"} | 
    Format-List Subject, Issuer, Thumbprint, NotBefore, NotAfter, 
                @{Name="KeySize";Expression={$_.PublicKey.Key.KeySize}},
                SignatureAlgorithm

Self-hosted SQL Server

Microsoft SQL Server certificate documentation:

AWS RDS SQL Server

SQL Server on AWS RDS manages certificates, so typically no action is needed. SQL Server on RDS certificate documentation:

Azure SQL Database

Azure manages certificates, so typically no action is needed. Azure SQL certificate documentation:

Oracle

Please refer to official documentation for details on managing Oracle SSL certificates.

Self-hosted Oracle

Oracle certificate documentation:

Oracle Cloud (OCI)

Oracle Cloud OCI certificate documentation:

MongoDB

Please refer to official documentation for details on managing MongoDB SSL certificates.

Self-hosted MongoDB

MongoDB certificate documentation:

MongoDB Atlas

MongoDB Atlas manages certificates, so typically no action is needed. MongoDB Atlas certificate documentation:

Additional Resources