Validated Certificates & Keys
When Fivetran connects to your source databases or destinations, it may need you to confirm the identity of the remote server before proceeding. This confirmation is called validation, and it applies to two types of items:
- TLS certificates - used when connecting to a server that presents a self-signed certificate or a certificate issued by a private Certificate Authority (CA).
- Host key fingerprints - used when connecting through an SSH tunnel to verify the identity of the SSH server.
All previously validated items for your account are listed in the Validated Certificates & Keys section of Account Settings > General.
You need the Account Administrator role to view and manage validated certificates and keys.
TLS certificates
Fivetran encrypts connections to your data sources and destinations. When the remote server presents a certificate issued by a well-known public Certificate Authority, we trust it automatically. However, when the server uses a self-signed certificate or a certificate from a private CA, we can't verify its authenticity without your input.
In these cases, we display the server's certificate during connection setup and ask you to confirm it before the connection can proceed. Confirming the certificate tells us to trust it for that specific connection or destination going forward.
Databases and destinations hosted on major cloud platforms, such as Amazon RDS, Google Cloud SQL, and Azure Database, typically use publicly trusted certificates that do not require manual validation.
Once confirmed, we use the stored certificate automatically on every subsequent sync. You only need to revalidate if the server's certificate changes — for example, after expiry and renewal, or if the server is reconfigured.
SSH host fingerprints
When you configure a connection to use an SSH tunnel, Fivetran connects to your SSH server as part of the data pipeline. During the first connection test, we display the SSH server's host key fingerprint and ask you to confirm it.
Confirming the fingerprint tells us that the SSH server we are connecting to is the one you intended. This is a standard SSH security practice to guard against connecting to an unintended server.
Once confirmed, we use the stored fingerprint automatically on every subsequent sync. You only need to revalidate if the SSH server's host key changes.
View validated certificates and keys
To view all validated certificates and keys for your account:
- In your Fivetran dashboard, go to Account Settings > General.
- Scroll down to the Validated Certificates & Keys section.
The table lists all TLS certificates and SSH host fingerprints that users on your account have validated. You can search the list by connection name, destination name, or certificate name. You can also sort the table by any of the columns:
- Connection - The source connection that uses this certificate or key.
- Destination - The destination associated with this certificate or key.
- Name - The name of the certificate or SSH host key.
- Type - TLS for certificates or SSH for host fingerprints.
- Validated by - The user who performed the validation.
- Validated date - The date and time the item was validated.
View certificate or key details
To inspect the full public key of a validated item, click the view icon in the row. A details panel displays the public key content. For TLS certificates, it also shows the SHA-1 and SHA-256 fingerprints.
Revoke a certificate or key
Revoking a validated item removes our stored trust for it. For connections, revoking a certificate or key will cause the next sync of the affected connection to fail. For destinations, revoking a certificate or key will cause the next sync of any connection writing to that destination to fail. The sync will continue to fail until the item is revalidated.
Common reasons to revoke a validated item are as follows:
- The server's TLS certificate was renewed or replaced (for example, after expiry), and syncs are now failing because the stored certificate no longer matches
- The SSH server's host key was rotated or the server was re-provisioned
- You want to force revalidation after a server reconfiguration.
Only revoke an item when you intend to immediately revalidate it, for example, after the server's certificate or key has changed.
To revoke a validated item:
- In your Fivetran dashboard, go to Account Settings > General.
- Scroll down to Validated Certificates & Keys.
- Locate the item you want to revoke.
- Click the revoke icon in the row.
- Confirm the revocation in the dialog that appears.
Depending on what item you revoked, one of the following dashboard tasks will appear with instructions to revalidate:
- Revalidate TLS Certificate - for certificate changes
- Validate SSH fingerprint change - for SSH key changes in connections
- Change in Warehouse SSH Key Detected - Revalidate - for SSH key changes in destinations.
To revalidate after revoking:
- Go to the affected connection's or destination's details page.
- Click the three-dot menu in the top right corner of the page.
- Click Test connection to run a connection test.
- Confirm the new certificate or fingerprint when prompted.