circle-info
Webinar | MariaDB AI RAG: Replacing Complex Pipeline Tooling with One REST API
Watch Nowarrow-up-right
search
Ctrlk
Download MariaDBContact Us
githubEdit

Enabling TLS on MariaDB Server

Step-by-step instructions for configuring MariaDB Server to use TLS by setting system variables like ssl_cert, ssl_key, and ssl_ca in the configuration file.

hashtag
Overview

MariaDB Server supports data-in-transit encryption, which secures data transmitted over the network. The server and the clients encrypt data using the Transport Layer Security (TLS) protocol, which is a newer version of the Secure Socket Layer (SSL) protocol.

TLS must be manually enabled on the server, which is what this page describes.

hashtag
Enabling TLS

1

Acquire an X509 certificate and a private key for the server.

If it is a test or development server, self-signed certificates and keys should be sufficient.

2

Determine which system variables and you need to configure.

Mandatory system variables and options for TLS include:

System Variable/Option
Description

ssl_cert

X509 cert in PEM format

ssl_key

X509 key in PEM format

ssl_ca

JCA file in PEM format

Other useful system variables and options for TLS include:

System Variable/Option
Description

require_secure_transport

When this option is enabled, connections attempted using insecure transport are rejected. Secure transports are SSL/TLS, Unix sockets, and named pipes.

ssl_capath

CA directory

ssl_cipher

SSL cipher to use

ssl_crl

CRL file in PEM format

ssl_crlpath

CRL directory

tls_version

TLS protocol version for secure connections

3

Choose a configuration file in which to configure your system variables and options.

It is not recommended to make changes to one of the bundled configuration files. Instead, we recommend to create a custom configuration file in one of the directories included by the main configuration file (for instance, my.cnf). Configuration files in included directories are read in alphabetical order. If you want your custom configuration file to override the bundled configuration files, it is a good idea to prefix the custom configuration file's name with a string that will be sorted last, such as z-. Examples:

  • RHEL, CentOS, Rocky Linux, and SLES: /etc/my.cnf.d/z-custom-my.cnf

  • Debian and Ubuntu: /etc/mysql/mariadb.conf.d/z-custom-my.cnf

  • macOS: /opt/homebrew/etc/z-custom-my.cnf

4

Set your system variables and options in the configuration file.

They need to be set in a group that is read by MariaDB Serverarrow-up-right, such as [mariadb] , [server], or [client-server]:

[mariadb]
ssl_cert = /certs/server-cert.pem
ssl_key = /certs/server-key.pem
ssl_ca = /certs/ca-cert.pem
5

Restart the server.

On most Linux systems, run this command:

sudo systemctl restart mariadb

On macOS, run this command:

brew services restart mariadb
6

Connect to the server.

Start a client like mariadb (see this page for connection options):

$ sudo mariadb
7

Verify that TLS is enabled.

SHOW GLOBAL VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl      | YES   |
+---------------+-------+

This page is: Copyright © 2025 MariaDB. All rights reserved.

spinner
PreviousReplication with Secure ConnectionsNextCertificate Creation with OpenSSL

Last updated

Was this helpful?