Connect to SingleStore using TLS/SSL

On this page

Most client connections are TLS/SSL by default, even if no parameters are specified.

The options available that ensure a TLS/SSL connection are:

Using the client side flag, such as --ssl-mode=REQUIRED in MySQL/Singlestore clients.
Using a user created with REQUIRE SSL (enforces on the server side).

The VERIFY_CA option is not required to use TLS/SSL. However, it can be used to prevent sophisticated man-in-the-middle attacks where a would-be attacker can impersonate a server when SSL is disabled or create a secure connection by impersonating a server using an illegitimate server certificate. If this is a concern, then use offline CA files in any SSL connection (not only Singlestore).

Refer to SSL Secure Connections for more information.

Refer to The SingleStore JDBC Driver for details on how to connect using JDBC.

Using the Certificates

When connecting to SingleStore with mTLS, specify the client certificate and key. Ensure the server is configured with server cert and key before using the following command.

mysql -u user \
--ssl-ca=/path/to/ca.pem \
--tls-version=TLSv1.2 \
--ssl-cert=/path/to/client-cert.pem \    	
--ssl-key=/path/to/client-key.pem

Last modified: October 30, 2025

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

(Optional) Run the following command to view the associated signature files.
Shell
```
curl undefined
```
Download the signature file from the SingleStore release server.
- Option 1: Click the Download Signature button next to the SingleStore file.
- Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.
- Option 3: Run the following command to download the signature file.
  Shell
```
curl -O undefined
```

After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

Shell

echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
      --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
      --bundle undefined \
      --new-bundle-format -

Verified OK