The default connection string for Timescale uses the Secure Sockets Layer (SSL) mode
Users can choose not to use Transport Layer Security (TLS) while connecting to their databases, but connecting to production databases without encryption is strongly discouraged. To
achieve even stronger security, clients may select to verify the identity of the
server. If you want your connection client to verify the server's identity, you
can connect with an SSL mode of
do so, you need to store a copy of the certificate chain where your connection
tool can find it.
This section provides instructions for setting up a stricter SSL connection.
As part of the secure connection protocol, the server proves its identity by providing clients with a certificate. This certificate should be issued and signed by a well-known and trusted Certificate Authority.
Because requesting a certificate from a Certificate Authority takes some time, Timescale databases are initialized with a self-signed certificate. This lets you start up a database immediately. After your service is started, a signed certificate is requested behind the scenes. The new certificate is usually received within 30 minutes. Your database certificate is then replaced with almost no interruption. Connections are reset, and most clients reconnect automatically.
With the signed certificate, you can switch your connections to a stricter SSL
mode, such as
For more information on the different SSL modes, see the PostgreSQL SSL mode descriptions.
To set up a stricter SSL connection:
- Generate a copy of your certificate chain and store it in the right location
- Change your Timescale connection string
openssltool to connect to your Timescale service and get the certificate bundle. Store the bundle in a file called
$SERVICE_URL_WITH_PORTwith your Timescale connection URL:
Copy the bundle to your clipboard:MacOSLinuxWindows
Navigate to https://whatsmychaincert.com/. This online tool generates a full certificate chain, including the root Certificate Authority certificate, which is not included in the certificate bundle returned by the database.
Paste your certificate bundle in the provided box. Check
Include Root Certificate. Click
Save the downloaded certificate chain to
Change your Timescale connection string from
sslmode=verify-ca. For example, to connect to your database with
To check whether the certificate has been replaced yet, connect to your database instance and inspect the returned certificate:
Found an issue on this page?Report an issue!