SSL/TLS Configuration
DBConvert Streams supports encrypted SSL/TLS connections to MySQL and PostgreSQL databases. SSL is configured per connection in the ssl object inside spec.database.
Connection SSL object
{
"name": "pg-production",
"type": "postgresql",
"spec": {
"database": {
"host": "db.example.com",
"port": 5432,
"username": "app",
"password": "secret",
"database": "production"
},
"ssl": {
"mode": "verify-full",
"ca": "BASE64_ENCODED_CA_CERTIFICATE",
"client_cert": "BASE64_ENCODED_CLIENT_CERTIFICATE",
"client_key": "BASE64_ENCODED_CLIENT_KEY"
}
}
}
SSL fields
| Field | Type | Description |
|---|---|---|
mode | string | SSL mode (see modes below) |
ca | string | CA certificate (base64-encoded PEM) |
client_cert | string | Client certificate (base64-encoded PEM) |
client_key | string | Client private key (base64-encoded PEM) |
Certificate values should be base64-encoded PEM content. To encode a certificate file:
base64 -w 0 < ca.pem
All three certificate fields are optional — which ones you need depends on the SSL mode and server requirements. The UI handles encoding automatically when you upload certificate files.
SSL modes
| Mode | Encryption | Server verification | Hostname check | Use case |
|---|---|---|---|---|
disabled | No | No | No | Development only |
require | Yes | No | No | Encrypt without verification |
verify-ca | Yes | Yes | No | Verify server certificate |
verify-full | Yes | Yes | Yes | Full verification (recommended for production) |
Examples
PostgreSQL with server verification
{
"ssl": {
"mode": "verify-ca",
"ca": "BASE64_ENCODED_CA_CERTIFICATE"
}
}
PostgreSQL with mutual TLS (mTLS)
When the server requires client certificate authentication:
{
"ssl": {
"mode": "verify-full",
"ca": "BASE64_ENCODED_CA_CERTIFICATE",
"client_cert": "BASE64_ENCODED_CLIENT_CERTIFICATE",
"client_key": "BASE64_ENCODED_CLIENT_KEY"
}
}
Encryption only (no certificate verification)
{
"ssl": {
"mode": "require"
}
}
Using curl
# Encode your CA certificate
CA_CERT=$(base64 -w 0 < ca.pem)
curl -X POST "$API_URL/connections" \
-H "X-API-Key: $API_KEY" \
-H "X-Install-ID: $INSTALL_ID" \
-H "Content-Type: application/json" \
-d '{
"name": "pg-ssl",
"type": "postgresql",
"spec": {
"database": {
"host": "db.example.com",
"port": 5432,
"username": "app",
"password": "secret",
"database": "production"
},
"ssl": {
"mode": "verify-ca",
"ca": "'"$CA_CERT"'"
}
}
}'
Server-side setup
PostgreSQL
Enable SSL in postgresql.conf:
ssl = on
ssl_cert_file = 'server-cert.pem'
ssl_key_file = 'server-key.pem'
ssl_ca_file = 'root.crt'
Verify SSL is active:
SELECT ssl, version FROM pg_stat_ssl WHERE pid = pg_backend_pid();
MySQL
Enable SSL in my.cnf:
[mysqld]
require_secure_transport = ON
ssl-ca = /path/to/ca.pem
ssl-cert = /path/to/server-cert.pem
ssl-key = /path/to/server-key.pem
Verify SSL status:
SHOW VARIABLES LIKE '%ssl%';
Require SSL for a user:
ALTER USER 'dbconvert'@'%' REQUIRE SSL;
Managed database SSL
Most managed databases have SSL enabled by default. Download the CA certificate from your provider:
- AWS RDS: Download the RDS CA bundle and use
verify-caorverify-fullmode - Google Cloud SQL: Download the server CA from the Cloud SQL instance page
- Azure Database: Download the CA certificate from the Azure portal
- DigitalOcean: Download the CA certificate from the database cluster settings
Troubleshooting
Certificate verify failed
- Check that the CA certificate matches the one used by the server
- Verify the certificate has not expired:
openssl x509 -in ca.pem -noout -dates - For
verify-full, confirm the hostname in the certificate matches the connection host
SSL connection required
- The server requires SSL but the connection has
modeset todisableor omitted - Set
modetorequireor higher
Client certificate rejected
- Verify
client_certandclient_keyform a valid pair:openssl x509 -in client.pem -noout -text - Confirm the client certificate is signed by a CA the server trusts
Related docs
- Connections API Workflows — Connection creation with SSL and SSH options
- Database Access Configuration — Network and firewall setup