Generating SSL Certificates
To enable SSL, you must generate certificates and keys (or use existing ones, but sharing keys across different services is not recommended in general).
Each SingleStoreDB node which will be receiving SSL connections needs a server certificate and key - these can be the same or different for all servers. The server certificate(s) should be signed by a CA certificate.
Here are example steps for generating a set of self-signed certificates and keys to use with SingleStoreDB. You can also use certificates with more sophisticated X509 certificate chains, but the process to create these certificates is beyond the scope of this document.
mkdir certs cd certs ## The subject string for certificate signing requests. ## Edit the details to match your organization. SUBJ="/C=US/ST=CA/L=San Francisco/O=MemSQL/CN=" CA_SUBJ="${SUBJ}memsql.ssl.test.ca" SERV_SUBJ="${SUBJ}memsql.ssl.test.server" ## create the CA cert and key openssl genrsa 2048 > ca-key.pem openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem -subj "$CA_SUBJ" ## create the server cert, key, and sign with CA openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-req.pem -subj "$SERV_SUBJ" openssl rsa -in server-key.pem -out server-key.pem openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem ## verify the certificate chain openssl verify -CAfile ca-cert.pem server-cert.pem
Note that the certs
directory and its contents must be owned by the memsql
user and group (e.g., chown -R memsql:memsql <directory>
after copying the certificates to directory
).