Warning: the instructions below generate version 1 certificates only. These work fine with servers and clients using OpenSSL, but fail if WolfSSL is used instead, as is the case for our Windows MSI packages and our binary tarballs for Linux. WolfSSL requires version 3 certificates instead when using TLS v1.2 or higher, and so won't work with certificates generated as shown here when using two-way TLS with explicit client certificates. Generating version 3 certificates requires a few more minor steps, we will upgrade the instructions below soon to include these. See also: MDEV-25701
In order to secure communications with the MariaDB Server using TLS, you need to create a private key and an X509 certificate for the server. You may also want to create additional private keys and X509 certificates for any clients that need to connect to the server with TLS. This guide covers how to create a private key and a self-signed X509 certificate with OpenSSL.
The OpenSSL library provides a command-line tool called , which can be used for performing various tasks with the library, such as generating private keys, creating X509 certificate requests, signing X509 certificates as a Certificate Authority (CA), and verifying X509 certificates.
The Certificate Authority (CA) is typically an organization (such as ) that signs the X509 certificate and validates ownership of the domain. However, when you would like to use self-signed certificates, you need to create the private key and certificate for the CA yourself, and then you can use them to sign your own X509 certificates.
To start, generate a private key for the CA using the command. For example:
After that, you can use the private key to generate the X509 certificate for the CA using the command. For example:
The above commands create two files in the working directory: The ca-key.pem private key and the ca.pem X509 certificate are both are used by the CA to create self-signed X509 certificates below.
Once you have the CA's private key and X509 certificate, you can create the self-signed X509 certificates to use for the MariaDB Server, client, replication and other purposes.
To start, generate a private key and create a certificate request using the command. For example:
After that, process the key to remove the passphrase using the command. For example:
Lastly, using the certificate request and the CA's private key and X509 certificate, you can generate a self-signed X509 certificate from the certificate request using the command. For example:
This creates a server-cert.pem file, which is the self-signed X509 certificate.
Once you have created the CA's X509 certificate and a self-signed X509 certificate, you can verify that the X509 certificate was correctly generated using the command. For example:
You can add as many X509 certificates to check against the CA's X509 certificate as you want to verify. A value of OK indicates that you can use it was correctly generated and is ready for use with MariaDB.
This page is licensed: CC BY-SA / Gnu FDL
# openssl genrsa 2048 > ca-key.pem# openssl req -new -x509 -nodes -days 365000 \
-key ca-key.pem -out ca.pem# openssl req -newkey rsa:2048 -days 365000 \
-nodes -keyout server-key.pem -out server-req.pem# openssl rsa -in server-key.pem -out server-key.pem# openssl x509 -req -in server-req.pem -days 365000 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 \
-out server-cert.pem# openssl verify -CAfile ca.pem server-cert.pem
server-cert.pem: OK