Skip to main content
Skip to main content

TLS certificate

Key Certificate Configuration

Enabling SSL functionality in Doris requires configuring both a CA key certificate and a server-side key certificate. To enable mutual authentication, a client-side key certificate must also be generated:

  • The default CA key certificate file is located at Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12, with a default password of doris. You can modify the FE configuration file conf/fe.conf to add mysql_ssl_default_ca_certificate = /path/to/your/certificate to change the CA key certificate file. You can also add mysql_ssl_default_ca_certificate_password = your_password to specify the password for your custom key certificate file.
  • The default server-side key certificate file is located at Doris/fe/mysql_ssl_default_certificate/server_certificate.p12, with a default password of doris. You can modify the FE configuration file conf/fe.conf to add mysql_ssl_default_server_certificate = /path/to/your/certificate to change the server-side key certificate file. You can also add mysql_ssl_default_server_certificate_password = your_password to specify the password for your custom key certificate file.
  • By default, a client-side key certificate is also generated and stored in Doris/fe/mysql_ssl_default_certificate/client-key.pem and Doris/fe/mysql_ssl_default_certificate/client_certificate/.

Custom key certificate file

In addition to the Doris default certificate file, you can also generate a custom certificate file through openssl. Here are the steps (refer to Creating SSL Certificates and Keys Using OpenSSL):

  1. Generate the CA, server-side, and client-side keys and certificates:
# Generate the CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem

# Generate the server certificate and sign it with the above CA
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# Generate the client certificate and sign it with the above CA
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
  1. Verify the created certificates:
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
  1. Combine your key and certificate in a PKCS#12 (P12) bundle. You can also specify a certificate format (PKCS12 by default). You can modify the conf/fe.conf configuration file and add parameter ssl_trust_store_type to specify the certificate format.
# Package the CA key and certificate
openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12

# Package the server-side key and certificate
openssl pkcs12 -inkey server-key.pem -in server.pem -export -out server_certificate.p12

reference documents