TLS Support

TLS Support

Readyset supports TLS encryption between itself and your upstream database out of the box. To do this, Readyset must have access to the root certificate used by your upstream database. Operating systems typically come with the root certificates for some common certificate authorities already installed. If your upstream database uses a different root certificate, then you must either install that certificate (such that all applications on your system can use it to verify certificates) or provide the root certificate file path directly to Readyset via the --ssl-root-cert option.


The --ssl-root-cert option only supports a single certificate in the PEM or DER format. It does not support bundles containing multiple certificates.


On macOS, providing the root certificate via the --ssl-root-cert option is not supported, the Apple Security framework (used by Readyset to provide TLS support) does not allow the use of untrusted certificates even when explicitly provided.

Below are instructions for installing and trusting a new root certificate on supported platforms:

Readyset uses the system-provided OpenSSL package on Linux.

The following instructions are derived from the Ubuntu docs (opens in a new tab).

To install a new certificate, first download the certificate, then run the following:

# Change the extension to .crt, and if necessary, convert from DER to PEM format
# Place the output file in the appropriate system directory
sudo openssl x509 -outform pem -in $INFILE -out /usr/local/share/ca-certificates/$OUTFILE.crt
# Install the certificate
sudo update-ca-certificates

Below are download links for the root certificates for supported cloud database providers:

The Amazon RDS global certificate bundle (opens in a new tab) includes root certificates for every AWS region.

Alternatively, only download the region-specific bundle(s) (opens in a new tab) you need.