> ## Documentation Index
> Fetch the complete documentation index at: https://docs.streamkap.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Database Connectivity SSL Certificate Management Guide
> This guide can help you identify SSL certificate details and encryption levels for database instances and how to update them to use stronger encryption.
This guide provides general information to help identify and update SSL certificates. **Streamkap is not responsible for certificate management, database security configuration, or any issues arising from improper certificate handling.**
Always consult your database vendor's official documentation and follow your organization's security policies. Improper certificate management may result in service disruption or security vulnerabilities.
It's possible that your database instance is using outdated or weak SSL certificates for encrypted connections. Your Sources and Destinations in Streamkap may be affected if they connect to databases with weak SSL certificates. In such cases, you may see connection errors or warnings in the Streamkap UI and logs indicating SSL/TLS issues or encryption algorithm problems, such as:
* "Certificate verify failed"
* "SSL handshake failed due to weak encryption algorithm"
* "Certificates do not conform to algorithm constraints"
***
## Before You Begin
### Prerequisites
1. **Backup**: Create backups of existing certificates and database configuration
2. **Downtime Planning**: Schedule maintenance window for certificate updates
3. **Certificate Preparation**: Ensure new certificates are ready:
* Server certificate (`.crt` or `.pem`)
* Private key (`.key` or `.pem`)
* CA certificate chain (optional but recommended)
4. **Permission Check**: Verify you have necessary permissions to modify database configuration
### Common Certificate Types and Their Security
| Key Type | Key Size | Hash Algorithm | Security Level | Recommendation |
| -------- | -------- | -------------- | -------------- | ----------------------------- |
| RSA | 2048-bit | SHA-256 | Good | Acceptable for most use cases |
| RSA | 4096-bit | SHA-256 | Strong | Recommended for high security |
| RSA | 1024-bit | SHA-1 | Weak | **Should be upgraded** |
| ECDSA | P-256 | SHA-256 | Good | Modern alternative to RSA |
| ECDSA | P-384 | SHA-384 | Strong | High security |
***
## PostgreSQL
**Check certificate using `openssl`:**
```bash theme={null}
openssl s_client -connect {hostname}:5432 -starttls postgres < /dev/null 2>/dev/null | openssl x509 -text -noout
```
**Check certificate encryption using SQL:**
```sql theme={null}
SHOW ssl;
SHOW ssl_cert_file;
SHOW ssl_key_file;
SHOW ssl_ca_file;
SELECT ssl, version, cipher, bits FROM pg_stat_ssl WHERE pid = pg_backend_pid();
```
### Self-hosted PostgreSQL
Self-hosted PostgreSQL certificate documentation:
* [PostgreSQL SSL Support](https://www.postgresql.org/docs/current/ssl-tcp.html)
### AWS RDS PostgreSQL
AWS RDS manages certificates, so typically no action is needed.
PostgreSQL on AWS RDS certificate documentation:
* [AWS RDS SSL/TLS Certificates](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
* [Updating RDS SSL/TLS Certificates](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html)
### Azure Database for PostgreSQL
Azure manages certificates, so typically no action is needed.
Azure PostgreSQL certificate documentation:
* [Azure PostgreSQL SSL/TLS](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-ssl-tls)
### Google Cloud SQL PostgreSQL
Google Cloud SQL manages certificates, so typically no action is needed.
Cloud SQL PostgreSQL certificate documentation:
* [Cloud SQL Server Certificates](https://cloud.google.com/sql/docs/postgres/configure-ssl-instance)
***
## MySQL / MariaDB
**Check certificate using `openssl`:**
```bash theme={null}
openssl s_client -connect {hostname}:3306 -starttls mysql < /dev/null 2>/dev/null | openssl x509 -text -noout
```
**Check certificate encryption using SQL:**
```sql theme={null}
SHOW STATUS LIKE 'Ssl_cipher';
```
### Self-hosted MySQL/MariaDB
Self-hosted MySQL/MariaDB certificate documentation:
* [MySQL Configuring SSL/TLS](https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.html)
### AWS RDS MySQL/MariaDB
MySQL/MariaDB on AWS RDS manages certificates, so typically no action is needed.
MySQL/MariaDB on AWS RDS certificate documentation:
* [RDS MySQL SSL/TLS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/mysql-ssl-connections.html)
* [RDS Certificate Rotation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html)
### Azure Database for MySQL
Azure manages certificates, so typically no action is needed.
Azure MySQL certificate documentation:
* [Azure MySQL SSL Connectivity](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-connect-tls-ssl)
### Google Cloud SQL MySQL
Google Cloud SQL manages certificates, so typically no action is needed.
Cloud SQL MySQL certificate documentation:
* [Cloud SQL MySQL SSL/TLS](https://cloud.google.com/sql/docs/mysql/configure-ssl-instance)
***
## SQL Server
`openssl` does not work with SQL Server.
**Check certificate using SQL Server Configuration Manager (Recommended):**
1. Open **SQL Server Configuration Manager**
2. Expand **SQL Server Network Configuration**
3. Right-click **Protocols for \[INSTANCE\_NAME]** → **Properties**
4. Navigate to **Certificate** tab
5. View the selected certificate from dropdown
6. Click **View** to see certificate details (issuer, expiration, key size, signature algorithm)
**Check certificate using T-SQL:**
```sql theme={null}
-- View certificate details (if using certificate-based authentication)
SELECT issuer_name, subject, expiry_date, key_length FROM sys.certificates;
```
**Examine certificate from Windows Certificate Store:**
```powershell theme={null}
# View certificates in Local Computer store
Get-ChildItem -Path Cert:\LocalMachine\My |
Where-Object {$_.Subject -like "*your-server*"} |
Format-List Subject, Issuer, Thumbprint, NotBefore, NotAfter,
@{Name="KeySize";Expression={$_.PublicKey.Key.KeySize}},
SignatureAlgorithm
```
### Self-hosted SQL Server
Microsoft SQL Server certificate documentation:
* [Configure SQL Server to Use Certificates](https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-sql-server-encryption)
### AWS RDS SQL Server
SQL Server on AWS RDS manages certificates, so typically no action is needed.
SQL Server on RDS certificate documentation:
* [RDS SQL Server SSL/TLS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Concepts.General.SSL.Using.html)
### Azure SQL Database
Azure manages certificates, so typically no action is needed.
Azure SQL certificate documentation:
* [Azure SQL TLS/SSL](https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-content-reference-guide#encryption-and-certificate-validation)
* [Azure SQL Certificate Authentication](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure)
***
## Oracle
Please refer to official documentation for details on managing Oracle SSL certificates.
### Self-hosted Oracle
Oracle certificate documentation:
* [Oracle Database Security Guide - Configuring SSL/TLS](https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/configuring-secure-sockets-layer-authentication.html)
### Oracle Cloud (OCI)
Oracle Cloud OCI certificate documentation:
* [OCI Database SSL/TLS](https://docs.oracle.com/en/cloud/paas/autonomous-database/adbsa/connect-ssl-tls.html)
***
## MongoDB
Please refer to official documentation for details on managing MongoDB SSL certificates.
### Self-hosted MongoDB
MongoDB certificate documentation:
* [Configure MongoDB Instances for TLS/SSL on Self-Managed Deployments](https://www.mongodb.com/docs/manual/tutorial/configure-ssl/)
### MongoDB Atlas
MongoDB Atlas manages certificates, so typically no action is needed.
MongoDB Atlas certificate documentation:
* [Atlas TLS/SSL Configuration](https://www.mongodb.com/docs/atlas/security-cluster-tls/)
***
## Additional Resources
* [OpenSSL Documentation](https://www.openssl.org/docs/)