Connect with a stricter SSL mode

This section provides instructions for setting up a stricter SSL connection.

All connections to Timescale Cloud are encrypted. As part of the secure connection protocol, the server proves its identity by providing clients with a certificate. This certificate should be issued and signed by a well-known and trusted Certificate Authority.

Because requesting a certificate from a Certificate Authority takes some time, Timescale Cloud databases are initialized with a self-signed certificate. This lets you start up a database immediately. After your service is started, a signed certificate is requested behind the scenes. The new certificate is usually received within 30 minutes. Your database certificate is then replaced with almost no interruption. Connections are reset, and most clients reconnect automatically.

With the signed certificate, you can switch your connections to a stricter SSL mode, such as verify-ca or verify-full.

To set up a stricter SSL connection:

1. Generate a copy of your certificate chain and store it in the right location
2. Change your Timescale Cloud connection string

1. Use the tool to connect to your Timescale Cloud service and get the certificate bundle. Store the bundle in a file called bundle.crt.

   Replace $SERVICE_URL_WITH_PORT with your Timescale Cloud connection URL:

3. Paste your certificate bundle in the provided box. Check Include Root Certificate. Click Generate Chain.

4. Save the downloaded certificate chain to .

To check whether the certificate has been replaced yet, connect to your database instance and inspect the returned certificate: