Generating SSL Certificates
To enable SSL, you must generate certificates and keys (or use existing ones, but sharing keys across different services is not recommended in general).
Each SingleStoreDB node which will be receiving SSL connections needs a server certificate and key - these can be the same or different for all servers.
Here are example steps for generating a set of self-signed certificates and keys to use with SingleStoreDB.
mkdir certscd certs## The subject string for certificate signing requests.## Edit the details to match your organization.SUBJ="/C=US/ST=CA/L=San Francisco/O=MemSQL/CN="CA_SUBJ="${SUBJ}memsql.ssl.test.ca"SERV_SUBJ="${SUBJ}memsql.ssl.test.server"## create the CA cert and keyopenssl genrsa 2048 > ca-key.pemopenssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem -subj "$CA_SUBJ"## create the server cert, key, and sign with CAopenssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-req.pem -subj "$SERV_SUBJ"openssl rsa -in server-key.pem -out server-key.pemopenssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem## verify the certificate chainopenssl verify -CAfile ca-cert.pem server-cert.pem
Note that the certs
directory and its contents must be owned by the memsql
user and group (e.chown -R memsql:memsql <directory>
after copying the certificates to directory
).
Last modified: June 22, 2022