Generating SSL Certificates

To enable SSL, you must generate certificates and keys (or use existing ones, but sharing keys across different services is not recommended in general).

Each SingleStoreDB node which will be receiving SSL connections needs a server certificate and key - these can be the same or different for all servers. The server certificate(s) should be signed by a CA certificate.

Here are example steps for generating a set of self-signed certificates and keys to use with SingleStoreDB. You can also use certificates with more sophisticated X509 certificate chains, but the process to create these certificates is beyond the scope of this document.

mkdir certs
cd certs

## The subject string for certificate signing requests.
## Edit the details to match your organization.
SUBJ="/C=US/ST=CA/L=San Francisco/O=MemSQL/CN="
CA_SUBJ="${SUBJ}memsql.ssl.test.ca"
SERV_SUBJ="${SUBJ}memsql.ssl.test.server"

## create the CA cert and key
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem -subj "$CA_SUBJ"

## create the server cert, key, and sign with CA
openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-req.pem -subj "$SERV_SUBJ"
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

## verify the certificate chain
openssl verify -CAfile ca-cert.pem server-cert.pem

Note that the certs directory and its contents must be owned by the memsql user and group (e.g., chown -R memsql:memsql <directory> after copying the certificates to directory).