Sign inTry Free

Connect to SingleStore using TLS/SSL

On this page

Enable SSL/TLS for a Connection

Most client connections are TLS/SSL-enabled by default, even if no parameters are specified. To ensure a TLS/SSL-enabled connection, use either (or both) of the following options:

  • Use a client side flag, such as --ssl-mode=REQUIRED in the MySQL/SingleStore clients.

  • Use a user created with REQUIRE SSL, which enforces SSL on the server side.

Certificate-Based Authentication

For certificate-based authentication:

  1. Specify a CA using the ssl_ca_for_client_cert engine variable in memsql.cnf. The client certificate is verified using this CA.

  2. Create a database user with one of the following options in the CREATE USER statement to require certificate-based authentication:

    • REQUIRE X509: The user can connect only if the client presents a valid TLS client certificate that is not expired and chains to the CA bundle configured on the server. Connections that do not provide a valid certificate are rejected. For example:

      CREATE USER 's2user'@'%' REQUIRE X509;

    • REQUIRE SUBJECT '<subject-dn-string>': In addition to extending REQUIRE X509, REQUIRE SUBJECT enforces that the Subject DN in the client certificate must exactly match the configured value. This option verifies both trust (via certificate chaining to the CA) and identity (via the Subject DN string).

      CREATE USER 's2user'@'%' REQUIRE SUBJECT '/CN=s2user/O=example/C=US';

      Note: While running CREATE USER or ALTER USER, the Subject must be specified in OpenSSL “oneline” format. The fields CN, O, C, ST, L, etc., must be separated by a /.

    Users configured with REQUIRE X509 or REQUIRE SUBJECT can authenticate using their TLS client certificate instead of a database password. This reduces dependency on shared secrets and provides stronger, certificate‑based identity validation. Refer to CREATE USER for related information.

  3. Specify the client certificate and client key while connecting using the --ssl-cert and --ssl-key client options, respectively.

The VERIFY_CA option is not required to use TLS/SSL. However, it can be used to prevent sophisticated man-in-the-middle attacks where a would-be attacker can impersonate a server when SSL is disabled or create a secure connection by impersonating a server using an illegitimate server certificate. If this is a concern, then use offline CA files in any SSL connection (not only SingleStore).

Refer to SSL Secure Connections for more information.

Refer to The SingleStore JDBC Driver for details on how to connect using JDBC.

Generate Client Certificates for SingleStore mTLS Connection

Create a client certificate/key pair signed by the CA, and use these files with SingleStore’s --ssl-cert and --ssl-key options for secure mutual TLS (mTLS) authentication.

The CA certificate (ca-cert.pem) must also be trusted by the SingleStore cluster configuration for client authentication.

Prerequisites

Install OpenSSL. For example, for Ubuntu/Debian:

sudo apt-get install openssl -y

Create a Certificate Authority (CA)

If you already have a CA certificate from your organization or another trusted source, skip this step and use the existing CA to sign the client certificate. The generated CA certificates can be used for local testing.

  1. Generate a CA private key:

    openssl genrsa -out ca-key.pem 4096

  2. Generate a CA certificate:

    openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 3650 -out ca-cert.pem \ 
    -subj
    "/C=US/ST=CA/L=SanFrancisco/O=ExampleOrg/OU=IT/CN=Example-CA"

You now have:

  • ca-key.pem: The private key for your CA.

  • ca-cert.pem: The public CA certificate.

Keep the CA key (ca-key.pem) private and secure.

Refer to Certificate-Based Authentication - step 1 for information on how to configure a CA for your cluster.

Create the Client Certificate and Key

  1. Generate the client private key and certificate signing request (CSR) as follows:

    openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -out client-req.pem \ 
    -subj
    "/C=US/ST=CA/L=SanFrancisco/O=ExampleOrg/OU=Client/CN=client.example.com"

  2. Create a client certificate signed by the CA. The following command uses the CA’s certificate and key to sign the client’s certificate.

    openssl x509 -req -in client-req.pem -CA ca-cert.pem -CAkey ca-key.pem \  
    -CAcreateserial -out client-cert.pem -days 365 -sha256

You now have:

  • client-key.pem: Client private key.

  • client-cert.pem: Client certificate signed by the CA.

Verify the Certificates

Run the following command to verify that the client certificate is properly signed by the CA:

openssl verify -CAfile ca-cert.pem client-cert.pem

An output similar to the following that the client certificate is properly signed by the CA:

client-cert.pem: OK

Use the Certificates

When connecting to SingleStore with mTLS, specify the client certificate and key.

mysql -u user \
--ssl-ca=/path/to/ca.pem \
--tls-version=TLSv1.2 \
--ssl-cert=/path/to/client-cert.pem \    	
--ssl-key=/path/to/client-key.pem

Ensure the SingleStore server is configured with server certificate and key before running this command.

Last modified: March 16, 2026

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK

Try Out This Notebook to See What’s Possible in SingleStore

Get access to other groundbreaking datasets and engage with our community for expert advice.

Sign UpLog In