# Server Configuration for Secure Client Connections

This section describes how to enable secure connections between clients and the SingleStore cluster, but not between nodes within the SingleStore cluster. This requires configuring the `ssl_cert` and `ssl_key` settings on all aggregators.

Note that, depending on the client configuration, a client connecting to SingleStore may or may not use a secure connection even when SSL is enabled on the server. See the [Server Configuration to Require Secure Client-Cluster Connections](https://docs.singlestore.com/db/v9.1/security/encryption/ssl-secure-connections/server-configuration-to-require-secure-client-connections.md) section.

## SingleStore Tools

1. Place `server-cert.pem` and `server-key.pem` files in the `certs` directory on each aggregator in the cluster. You can copy the files from the [Generating SSL Certificates](https://docs.singlestore.com/db/v9.1/security/encryption/ssl-secure-connections/generating-ssl-certificates.md) section to all aggregators.

   Note that the `certs` directory and its contents must be owned by the `memsql` user and group (e.g., `chown -R memsql:memsql <directory>` after copying the certificates to `directory`).

2. Update the SingleStore configuration for all aggregators (it is also fine to configure all nodes) to set the `ssl_cert` and `ssl_key` settings to the paths to the `server-cert.pem` and `server-key.pem` files, respectively. These can be absolute paths, or relative to the SingleStore installation directory. You can do this by using `sdb-admin update-config`. For example:
   ```shell
   sdb-admin list-nodes -q -r aggregator | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_cert --value ./certs/server-cert.pem --memsql-id "$@"' memsql

   ```
   ```shell
   sdb-admin list-nodes -q -r master | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_cert --value ./certs/server-cert.pem --memsql-id "$@"' memsql

   ```
   ```shell
   sdb-admin list-nodes -q -r aggregator | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_key --value ./certs/server-key.pem --memsql-id "$@"' memsql

   ```
   ```shell
   sdb-admin list-nodes -q -r master | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_key --value ./certs/server-key.pem --memsql-id "$@"' memsql

   ```

3. **Alternatively**, edit the `memsql.cnf` file on all aggregators to add the certificate paths in the `[server]` section. For example:
   ```
   ssl_cert = ./certs/server-cert.pem
   ssl_key = ./certs/server-key.pem

   ```

4. Restart all SingleStore aggregators.
   ```shell
   sdb-admin restart-node --all

   ```

***

Modified at: April 26, 2023

Source: [/db/v9.1/security/encryption/ssl-secure-connections/server-configuration-for-secure-client-connections/](https://docs.singlestore.com/db/v9.1/security/encryption/ssl-secure-connections/server-configuration-for-secure-client-connections/)

(An index of the documentation is available at /llms.txt)