Introduction to configuring SSL/TLS resources

To securely connect Retool to resources protected by custom SSL certificates, you'll need to add your CA certificates to Retool's trusted certificate store.

SSL/TLS is a security technology that protects data as it moves between computers over the internet. These protocols use PEM certificates to verify identity and encrypt communications.This means that when Retool talks to a database or API, SSL ensures it’s talking to the real server and that no one can snoop on the conversation.

When setting up a resource on Retool you might have a username & password authentication set up, for instance. That will protect the resource’s data and ensure that only permitted users can access this data.

• However, these credentials only control access—they don't encrypt the communication channel itself. Without encryption, anyone intercepting the network traffic between Retool and your resource can view all transmitted data in plain text

• Without SSL Retool has no way to verify it is connecting to the actual resource server. An attacker could impersonate the resource server and intercept all data sent from Retool, including authentication credentials

SSL certificates address both of these security concerns: they verify the server's identity and encrypt all communication between Retool and your resources:

How SSL Works Between Retool and Databases/APIs

Typical Database SSL/TLS Flow

• Retool is the client, the resource (DB/API) is the server

• The server presents its certificate (PEM format) to Retool

• Retool checks if the certificate is valid and trusted

• If valid, an encrypted connection is established by Retool and the resource

This may seem counterintuitive—you might expect the server to check the client's certificate to ensure it can be trusted- this is, however, taken care of with the resource authentication (ie. username and password). With SSL connections the client verifies the server's certificate.

Think of it like going to the bank - before you hand over your credit card details, you need to verify you're at the real bank and not a fake storefront run by scammers.

This process ensures the client can be certain it's communicating with the legitimate server and not an impostor. This is called server authentication and protects against man-in-the-middle attacks where attackers impersonate your database or API.

Why Encryption & Verification Matter

Even when the database is in AWS, the connection usually travels across the public internet. Without SSL/TLS, attackers could intercept or impersonate your server—stealing data, credentials, or queries. With SSL/TLS, all data is encrypted, and the client refuses to connect if the server’s identity cannot be verified.

How Retool and Node.js Handle Certificates

When Retool connects to an HTTPS API or cloud database, it's Node.js running inside a Docker container making those network connections. For connections to succeed, Node.js must trust any certificate the server provides.

• Public CA certificates are trusted by default

• For internal systems using your own CA, Node.js needs to explicitly be told about your CA

[continued in next post]

How to set this up in Retool?

1. In the Resource directly

• Add the CA certificate. For most resources that will be enough
• Client Key and Client Certificate are needed when your database requires mutual TLS authentication (mTLS) where both sides verify each other with certificates
  • Some high-security environments mandate this
  • Most databases typically use username/password for client auth, so you wouldn’t need to set these
• Verification modes:
  • Full verification is recommended and the most secure
  • Verify CA Certificate can be vulnerable to man-in-the-middle if attacker has any valid cert from the same CA
  • Skip CA Certificate verification not recommended, traffic will be encrypted but server identity is not verified (used for testing or troubleshooting)

CleanShot 2025-10-30 at 17.11.09@2x1238×748 61.8 KB

2. In Deployment config (Docs here)

Unfortunately it’s currently not possible to sync resources with pem files across your instances via Source Control - a workaround here is to set this up in your instances and set the resource up as follows.

Also any certs included in your deployment config would then essentially be trusted for all the more general HTTPS traffic coming to and from the container (whether that's other resource queries, connecting to a server with custom certs for source control, etc.)

• Tick use SSL/TLS in your resource but don’t upload a CA Certificate:
  

  

  CleanShot 2025-10-30 at 17.11.49@2x1236×756 59.8 KB

• Get your PEM file from your resource provider. For AWS RDS resources, download the regional certificate bundle (AWS uses certificates from trusted CAs like Amazon Trust Services). Your certificate (PEM file) will look something like this
  

  

  CleanShot 2025-10-30 at 17.12.18@2x792×526 157 KB

• Create a folder in your deployment (in root) called ca

• Create a pem file in folder ca and copy paste your certificate into it
  

  

  CleanShot 2025-10-30 at 17.12.49@2x400×670 41.7 KB

• Create a pem file in folder ca and copy paste your certificate into it

• Mount the volume in your api service in your compose.yaml file
  

  

  CleanShot 2025-10-30 at 17.13.16@2x842×612 56.5 KB

• Tell your Node.js that it can trust certificates the server provides by setting the following env vars in your docker.env
  

Some other tips

• You can decode your PEM certificate with a certificate decoder
  

  

  CleanShot 2025-10-30 at 17.14.35@2x1092×912 155 KB

• The functionality that was previously handled by a separate db-connector service is now included in the api service. The api service handles both the main backend and the database connector roles. If your deployment runs a db-connector separately mount your certificate in the service as outlined in our docs

• Your self hosted instance will automatically be set up with a global-bundle.pem which ensures SSL for your main storage DB that holds all your user, permission, page_saves, etc. records of your instance. You can see this by exec’ing into your api container and running ls certs.

Further Reading

• Community post on Set Retool on-prem to connect to External API with SSL/TLS
• Different applications don't share a universal certificate trust store—each technology (OpenSSL, Java, Node.js, etc.) maintains its own list of trusted CAs in different locations, which is why you need to configure certificates specifically for the technology you're using. Retool builds it’s image with Debian as base image (see here)