# Configure mTLS for SingleStore Kafka Sink Connector

To configure a mutual TLS (mTLS) connection for the SingleStore Kafka Sink Connector ("the connector") on SingleStore:

1. [Generate client certificates](https://docs.singlestore.com/#section-id235540812918396.md).

2. [Create a Java keystore](https://docs.singlestore.com/#section-id235540814049309.md).

3. [Configure SingleStore](https://docs.singlestore.com/#section-id235540820246224.md).

4. [Create a database user](https://docs.singlestore.com/#section-id23554082371942.md) that requires certificate-based mTLS authentication.

5. [Update the connector configuration](https://docs.singlestore.com/#section-id235540828538921.md).

## Generate Client Certificates

Refer to [Generate Client Certificates for SingleStore mTLS Connection](https://docs.singlestore.com/db/v9.1/connect-to-singlestore/connect-to-singlestore-using-tls-ssl/#section-id235236379372745.md) for information on generating the required certificates for mTLS authentication.

The following files are generated:

* `ca-key.pem`: The private key for the CA.
* `ca-cert.pem`: The public CA certificate.
* `client-key.pem`: The client private key.
* `client-cert.pem`: The client certificate signed by the CA.

Additionally, download the [singlestore\_bundle.pem](https://portal.singlestore.com/organizations/org-id/singlestore-ca-cert) certificate file.

## Create a Java Keystore

The connector uses the SingleStore JDBC driver internally, which expects the client certificate and key in a keystore format. Convert the `.pem` files to a `.p12` keystore using OpenSSL. Update the certificate files paths, and then run the following command:

```shell
openssl pkcs12 -export \
  -inkey /path/to/client-key.pem \
  -in /path/to/client-cert.pem \
  -out client-keystore.p12 \
  -name client-cert \
  -CAfile /path/to/ca-cert.pem \
  -caname root \
  -passout pass:<your_keystore_password>
```

This command creates a `client-keystore.p12` file that contains the client certificate, private key, and CA certificate chain, protected by the keystore password (`<your_keystore_password>`).

Copy and securely store the `client-keystore.p12` file.

## Configure SingleStore

Configure a CA in your SingleStore Self-Managed cluster:

1. Copy the `ca-cert.pem` file to the same path on each host running aggregator nodes in the cluster.

2. Run the following command to configure the CA bundle (`ca-cert.pem` file) using the `ssl_ca_for_client_cert` engine variable (update the path before running the command):
   ```shell
   sdb-admin update-config --role aggregator --key ssl_ca_for_client_cert --value /path/to/ca-cert.pem --all --yes
   ```

3. Restart all the nodes in the cluster to apply the changes:
   ```shell
   sdb-admin restart-node --all --yes
   ```

The client certificate is verified using this CA.

## Create a Database User

Create a database user with one of the following options in the `CREATE USER` statement to require certificate-based mTLS authentication (replace `<mtls_password>` with a secure password):

* `REQUIRE X509`: Enables mutual authentication between the client and SingleStore. The user can connect only if the client presents a valid TLS client certificate that is not expired and chains to the CA bundle configured on the server. Connections that do not provide a valid certificate are rejected. Example:
  ```sql
  CREATE USER 's2user'@'%' IDENTIFIED BY '<mtls_password>' REQUIRE X509;
  ```
* `REQUIRE SUBJECT '<subject-dn-string>'`: In addition to extending `REQUIRE X509`, `REQUIRE SUBJECT` checks the subject in the client certificate provided during mTLS connection and enforces that the `Subject DN` in the client certificate must exactly match the configured value. This verifies both trust (via certificate chaining to the CA) and identity (via the `Subject DN` string). For example:
  ```sql
  CREATE USER 's2user'@'%' IDENTIFIED BY '<mtls_password>' REQUIRE SUBJECT '/CN=s2user/O=example/C=US';

  ```
  When running `CREATE USER` or `ALTER USER`, specify the `SUBJECT` in [OpenSSL “oneline” format](https://docs.openssl.org/master/man1/openssl-namedisplay-options/). Separate fields, such as `CN`, `O`, `C`, `ST`, and `L`, with a `/`. To generate the `Subject DN` string in OpenSSL "oneline" format, run the following command:
  ```shell
  openssl x509 -in client-cert.pem -noout -subject -nameopt compat
  ```
  If the `openssl` output escapes characters inside a DN value, escape each backslash (`\`) in the output because the value is entered as a SQL string literal. For example, if the `Subject` contains `\+`, replace it with `\\+` in the `CREATE USER` or `ALTER USER` statement. For example:
  ```sql
  CREATE USER 's2user'@'%' IDENTIFIED BY '<mtls_password>' REQUIRE SUBJECT '/O=example/CN=Js3g\\+AF\\+/C=US';
  ```
  A `Subject` mismatch can return the same generic certificate verification error as CA-chain issues. To troubleshoot, first verify that the client certificate chains to the CA bundle configured on the server (`REQUIRE X509`), and then verify that the `Subject DN` in the certificate exactly matches the configured `REQUIRE SUBJECT` value.

Grant the required privileges to the database user. Refer to [CREATE USER](https://docs.singlestore.com/db/v9.1/reference/sql-reference/security-management-commands/create-user.md) for related information.

## Update the Connector Configuration

Update the following parameters in the SingleStore Kafka Sink connector's configuration JSON to enable mTLS authentication:

* `connection.user`: Specify the username of the mTLS-enabled SingleStore database user.
* `connection.password`: Specify the password (`<mtls_password>`) for the SingleStore database user.
* `params.sslMode`: Specify either of the following:

  * `verify-ca`: Use SSL/TLS for encryption and perform certificate verification, but do not perform hostname verification.
  * `verify-full`: Use SSL/TLS for encryption, certificate verification, and hostname verification.

  Refer to [sslMode](https://docs.singlestore.com/db/v9.1/developer-resources/connect-with-application-development-tools/connect-with-java-jdbc/the-singlestore-jdbc-driver/#section-idm451733832068803274095333137.md) for more information.
* `params.serverSslCert`: Specify the path to `singlestore_bundle.pem` (include the filename and extension).
* `params.keyStore`: Specify the path to `client-keystore.p12` (include the filename and extension).
* `params.keyStorePassword`: Specify the keystore password (`<your_keystore_password>`) passed to the `openssl` command.
* `params.keyStoreType`. Specify `PKCS12` as the keystore type.

Refer to [SingleStore JDBC Driver - TLS Parameters](https://docs.singlestore.com/db/v9.1/developer-resources/connect-with-application-development-tools/connect-with-java-jdbc/the-singlestore-jdbc-driver/#section-idm451733832068803274095333137.md) for more information on supported SSL/TLS configuration options.

The following is a sample configuration:

```json
{
  "name": "singlestore-sink-connector-mtls",
  "config": {
    "connector.class": "com.singlestore.kafka.SingleStoreSinkConnector",
    "tasks.max": "1",
    "topics": "s2Ingest",

    "connection.clientEndpoint": "svc-XXXX-svchost:3306",
    "connection.database": "dbTest",

    "connection.user": "mtls_user",
    "connection.password": "<mtls_password>",

    "params.sslMode": "verify-full",
    "params.serverSslCert": "/opt/certs/singlestore_bundle.pem",
    "params.keystore": "/opt/certs/client-keystore.p12",
    "params.keyStorePassword": "<keystore_password>",
    "params.keyStoreType": "PKCS12"
  }
}
```

To apply the configuration, deploy or restart the connector.

***

Modified at: June 12, 2026

Source: [/db/v9.1/load-data/integrate-with-singlestore/singlestore-kafka-sink-connector/configure-mtls-for-singlestore-kafka-sink-connector/](https://docs.singlestore.com/db/v9.1/load-data/integrate-with-singlestore/singlestore-kafka-sink-connector/configure-mtls-for-singlestore-kafka-sink-connector/)

(An index of the documentation is available at /llms.txt)