# Enabling TLS on MariaDB Server
## Overview
MariaDB Server supports data-in-transit encryption, which secures data transmitted over the network. The server and the clients encrypt data using the Transport Layer Security (TLS) protocol, which is a newer version of the Secure Socket Layer (SSL) protocol.
TLS must be manually enabled on the server, which is what this page describes.
## Enabling TLS
{% stepper %}
{% step %}
#### Acquire an X509 certificate and a private key for the server.
If it is a test or development server, self-signed certificates and keys should be sufficient.
{% endstep %}
{% step %}
#### Determine which system variables and you need to configure.
Mandatory [system variables and options](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables) for TLS include:
| System Variable/Option | Description |
| ------------------------------------------------------------------------------------------------- | ----------------------- |
| [ssl\_cert](https://mariadb.com/docs/server/security/encryption/ssltls-system-variables#ssl_cert) | X509 cert in PEM format |
| [ssl\_key](https://mariadb.com/docs/server/security/encryption/ssltls-system-variables#ssl_key) | X509 key in PEM format |
| [ssl\_ca](https://mariadb.com/docs/server/security/encryption/ssltls-system-variables#ssl_ca) | JCA file in PEM format |
Other useful system variables and options for TLS include:
| System Variable/Option | Description |
| ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [require\_secure\_transport](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#require_secure_transport) | When this option is enabled, connections attempted using insecure transport are rejected. Secure transports are SSL/TLS, Unix sockets, and named pipes. |
| [ssl\_capath](https://mariadb.com/docs/server/security/encryption/ssltls-system-variables#ssl_capath) | CA directory |
| [ssl\_cipher](https://mariadb.com/docs/server/security/encryption/ssltls-system-variables#ssl_cipher) | SSL cipher to use |
| [ssl\_crl](https://mariadb.com/docs/server/security/encryption/ssltls-system-variables#ssl_crl) | CRL file in PEM format |
| [ssl\_crlpath](https://mariadb.com/docs/server/security/encryption/ssltls-system-variables#ssl_crlpath) | CRL directory |
| [tls\_version](https://mariadb.com/docs/server/security/encryption/ssltls-system-variables#tls_version) | TLS protocol version for secure connections |
| {% endstep %} | |
{% step %}
#### Choose a configuration file in which to configure your system variables and options.
It is not recommended to make changes to one of the bundled configuration files. Instead, we recommend to [create a custom configuration file](https://mariadb.com/docs/server/server-management/install-and-upgrade-mariadb/configuring-mariadb/configuring-mariadb-with-option-files#including-option-files) in one of the directories included by the main configuration file (for instance, my.cnf). Configuration files in included directories are read in alphabetical order. If you want your custom configuration file to override the bundled configuration files, it is a good idea to prefix the custom configuration file's name with a string that will be sorted last, such as `z-`. Examples:
* RHEL, CentOS, Rocky Linux, and SLES: `/etc/my.cnf.d/z-custom-my.cnf`
* Debian and Ubuntu: `/etc/mysql/mariadb.conf.d/z-custom-my.cnf`
* macOS: `/opt/homebrew/etc/z-custom-my.cnf`
{% endstep %}
{% step %}
#### Set your system variables and options in the configuration file.
They need to be set in a group that is read by [MariaDB Server](https://github.com/mariadb-corporation/docs-server/blob/test/en/mariadb-enterprise-server/README.md), such as `[mariadb]` , `[server]`, or `[client-server]`:
```ini
[mariadb]
ssl_cert = /certs/server-cert.pem
ssl_key = /certs/server-key.pem
ssl_ca = /certs/ca-cert.pem
```
{% endstep %}
{% step %}
#### Restart the server.
On most Linux systems, run this command:
```bash
sudo systemctl restart mariadb
```
On macOS, run this command:
```bash
brew services restart mariadb
```
{% endstep %}
{% step %}
#### Connect to the server.
Start a client like [mariadb](https://mariadb.com/docs/server/clients-and-utilities/mariadb-client/mariadb-command-line-client) (see [this page](https://mariadb.com/docs/server/mariadb-quickstart-guides/mariadb-connecting-guide) for connection options):
```bash
$ sudo mariadb
```
{% endstep %}
{% step %}
#### Verify that TLS is enabled.
```sql
SHOW GLOBAL VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl | YES |
+---------------+-------+
```
{% endstep %}
{% endstepper %}
*This page is: Copyright © 2025 MariaDB. All rights reserved.*
{% @marketo/form formId="4316" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption/data-in-transit-encryption-enabling-tls-on-mariadb-server.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.