Skip to main content

Security

TLS certificates

Kurrent Cloud provisions secure KurrentDB clusters with TLS enabled for HTTP and GRPC using certificates issued by Let's Encrypt, or when Mutual TLS is enabled, a private certificate authority that is unique to each deployment. We automatically renew the certificates before they expire and replace the certificates on all cluster nodes. This is all done with zero impact to client connections or cluster availability.

Third party certificates are not supported.

Changing the initial password

During the deployment process, Kurrent Cloud will automatically generate an initial password for the admin user. This password can be changed via the database UI or API. For more information refer to the section of the KurrentDB documentation. Once reset, the Clear initial admin credentials button should be clicked on the Security -> Initial Credentials tab for the given cluster (refer to the section).

Enabling Mutual TLS

If a cluster does not have Mutual TLS enabled, it can be activated on demand. Clicking the elipses button (three vertical bubbles) found in either the cluster details or listing view, reveals the following actions:

Actions Popup
Actions Popup

Click the Enable Mutual TLS option. The following confirmation modal will be shown:

Actions Popup
Actions Popup

After entering the name of the cluster (clicking the cluster name will automatically copy the name), click the Enable Mutual TLS button. The cluster listing is then refreshed to show an Updating status for the cluster, an example is shown below:

MTLS Enabling
MTLS Enabling

Once enabled, a new certificate icon will be visible along with the status showing as Ok:

MTLS Enabled
MTLS Enabled

The cluster will leverage a unique private certificate authority. The next step is to and install the generated certificate bundle.

Download Certificate Bundle (when Mutual TLS is enabled)

The certificate bundle can be downloaded when Mutual TLS is enabled (refer to the section). Several places allow downloads, for example:

  • Click the certificate icon next to the cluster in the Cluster view
  • Click the certificate icon next to the Connect to <cluster name> button
  • Navigate to the tab Security -> Certificate Bundle in the Cluster details view and click the Download Certificate Bundle button

Once the bundle has downloaded, it can be extracted to reveal the following files:

NameDescription
ca.crtThe private certificate authority
tls.crtThe client certificate
tls.keyThe private key associated with the client certificate
bundle.p12Bundle that contains the files described above (to permit easy installation in to a local keychain)

Install Certificate Bundle (Windows)

After following the steps in the and sections, the certificate bundle can be installed as follows:

  1. Extract the certificate_bundle.tar.gz, the contents will look as follows:
Certificate Listing
Certificate Listing

  1. Double-click the bundle file.

  2. The certificate import wizard will be displayed:

Import Wizard - Step 1
Import Wizard - Step 1

Make sure Current User is selected and press the Next button.

  1. Confirm that the bundle path is correct and click the Next button.
Import Wizard - Step 2
Import Wizard - Step 2
  1. Enter the password for the certificate bundle: kurrent.
Import Wizard - Step 3
Import Wizard - Step 3
  1. Select the option Automatically select the certificate store based on the type of certificate and click Next.
Import Wizard - Step 4
Import Wizard - Step 4
  1. Click the Finish button.
Import Wizard - Step 5
Import Wizard - Step 5
  1. The certificate import process will then begin and prompt you for confirmation. Click the Yes button.
Import Wizard - Step 6
Import Wizard - Step 6
  1. The import process will then complete and display the following:
Import Wizard - Step 7
Import Wizard - Step 7
  1. Verify that the KurrentDB UI is now accessible by navigating to the URL shown in the Cluster details pane under the Addresses tab. Note that some browsers require restarting to pick up certificate changes. If you're using Chrome, try an Incognito tab. Note you may be prompted to add the certificate to the browser keystore, follow the onscreen instructions.

The browser should show the following:

Database UI with mTLS
Database UI with mTLS

Click the Ok button and the KurrentDB UI should be shown as follows:

Database UI with mTLS
Database UI with mTLS

Install Certificate Bundle (Mac)

After following the steps in the and sections, the certificate bundle can be installed as follows:

  1. Extract the certificate_bundle.tar.gz, the contents will look as follows:
Certificate Listing
Certificate Listing

  1. Double-click the bundle.p12 file.

  2. Enter the password for the certificate bundle: kurrent.

Bundle Password Prompt
Bundle Password Prompt
  1. Open the keychain utility and navigate to the Certificates tab. The following screen should display two new certificates:
Untrusted Certificate
Untrusted Certificate
  1. Double-click the *-ca certificate, in the example shown above it would be cuibbfkgdubf52i0okcg-ca. The following screen will be displayed:
Untrusted Certificate
Untrusted Certificate
  1. Expand the Trust section to display:
Untrusted Certificate
Untrusted Certificate
  1. Click the drop-down box next to the field When using this certificate and select Always Trust. The screen should resemble:
Untrusted Certificate
Untrusted Certificate

Click the close button (top left), you will be prompted to enter you password to make the changes.

  1. The private certificate authority should now be trusted, and the certificate listing should look as follows:
Trusted Certificate
Trusted Certificate
  1. Verify that the KurrentDB UI is now accessible by navigating to the URL shown in the Cluster details pane under the Addresses tab. Note that some browsers require restarting to pick up certificate changes. If you're using Chrome, try an Incognito tab. Note you may be prompted to add the certificate to the browser keystore, follow the onscreen instructions.

The browser should show the following:

Database UI with mTLS
Database UI with mTLS

Click the Ok button and the KurrentDB UI should be shown as follows:

Database UI with mTLS
Database UI with mTLS

Install Certificate Bundle (Linux)

After following the steps in the and sections, the certificate bundle can be installed according to the distribution being used. Please review your vendor specific instructions for installing a certificate authority.

Disabling Mutual TLS

If a cluster has Mutual TLS enabled, it can be deactivated on demand. Clicking the elipses button (three vertical bubbles) found in either the cluster details or listing view, reveals the following actions:

Actions Popup
Actions Popup

Click the Disable Mutual TLS option. The following confirmation modal will be shown:

Actions Popup
Actions Popup

After entering the name of the cluster (clicking the cluster name will automatically copy the name), click the Disable Mutual TLS button. The cluster listing is then refreshed to show an Updating status for the cluster, an example is shown below:

MTLS Enabling
MTLS Enabling

Once disabled, the certificate icon will no longer visible. The cluster status will show Ok:

MTLS Enabled
MTLS Enabled

Once disabled, the cluster will leverage a trusted certificate provided by Lets Encrypt.

Last update: 3/13/2025, 6:40:39 PM
Contributors: Mark Morrissey