TLS Service Plans
This section describes the usage and configuration of TLS/SSL service plans from the perspective of the Platform Operator. For information from the Application Developer's point of view, please refer to the a9s TLS/SSL Service Plans documentation.
All TLS/SSL Service Instances use a X.509 certificate in order to encrypt the communication between server and client. These X.509 certificates and their corresponding private keys must be in PKCS#1 format and PEM encoded.
There are three general sources for the certificate of a Service Instance:
- A specific user provided certificate
- A generated certificate that is signed by the Certificate Authority (CA) that the Platform Operator configured
- A wildcard certificate that is directly provided by the Platform Operator
However, to use TLS/SSL service plans the Platform Operator has either to provide a wildcard certificate that is used for all corresponding service instances or a CA that is used to sign a specific certificate that is extra generated for a Service Instance. Only one of these options can be used at the same time.
Furthermore, please be aware that different services may have special limitations which are described explicitly in the Limitations section.
While the Platform Operator has to decide between a wildcard certificate or a generated certificate, the Application Developer is always able to provide their own certificate for a Service Instance which always takes precedence over the Platform Operator configured option and cannot be prohibit.
Supported Services
The following a9s Data Services support TLS/SSL service plans and share a common configuration interface:
- a9s KeyValue
- a9s LogMe2 - See OpenSearch Limitations
- a9s MariaDB
- a9s Messaging
- a9s MongoDB
- a9s PostgreSQL
- a9s Redis®* (starting from version 6)
- a9s Search - See OpenSearch Limitations
Limitations
Currently, the a9s Data Services do not support service plan upgrades from Non-TLS/SSL to TLS/SSL service plans.
OpenSearch Limitations
OpenSearch expects that the certificates' private keys are in the format PKCS#8. This restriction applies when one is
using user provided certificates,
a wildcard certificate or generated certificates.
You can check the vendor's documentation for more information:
- https://opensearch.org/docs/latest/security-plugin/configuration/tls/
- https://opensearch.org/docs/latest/security-plugin/configuration/generate-certificates/
*Redis is a registered trademark of Redis Ltd. Any rights therein are reserved to Redis Ltd. Any use by anynines GmbH is for referential purposes only and does not indicate any sponsorship, endorsement or affiliation between Redis and anynines GmbH.