Configure SSL connections for data sources
Learn how to connect to your resources using SSL/TLS encryption.
Retool supports SSL and TLS connections to database resources as long as the database server is configured to support it.
The following resource types have options for SSL/TLS encryption in their configuration settings:
- AlloyDB
- Cassandra
- CouchDB
- ElasticSearch
- GraphQL
- gRPC
- Microsoft SQL
- MongoDB
- MySQL
- Postgres
- Redshift
- Redis
- REST API
- RethinkDB
Connect using SSL/TLS
To connect with SSL, on the Create resource or Edit resource form, select the Use SSL/TLS checkbox. Depending on the resource, additional fields are shown once the checkbox is clicked. The standard options are CA Certificate, Client Key, Client Certifcate, and Verification mode.
For API Resources, specify an HTTPS base URL before clicking the Use self-signed certificates checkbox to add TLS options.
CA Certificate is a certificate signed by a trusted, third-party certificate authority (CA). The client, which is Retool in this case, uses the certificate to verify that they are talking to the correct server. Client Key and Client Certificate are additional fields that identify the client to the server.
Verification modes
The following table lists the available Verification mode options:
| Verification mode | psql equivalent | Description |
|---|---|---|
| Full verification | verify-full | Verifies the server host matches the name stored in the server certificate and checks the CA certificate. |
| Verify CA Certificate | verify-ca | Verifies the server by checking the certificate chain up to the root certificate stored on the client. |
| Skip CA Certificate verification | require | Establishes an encrypted connection without CA certificate verification. |
Retool uses Node drivers to power our resources, and occasionally, the drivers are limited in their functionality. As a result, not all resources support all modes. For example, MySQL only supports Verify CA Certificate and Skip CA Certificate verification.