Key Certificate Configuration
Enabling SSL functionality in Doris requires configuring both a CA key certificate and a server-side key certificate. To enable mutual authentication, a client-side key certificate must also be generated:
- The default CA key certificate file is located at
Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12
, with a default password ofdoris
. You can modify the FE configuration fileconf/fe.conf
to addmysql_ssl_default_ca_certificate = /path/to/your/certificate
to change the CA key certificate file. You can also addmysql_ssl_default_ca_certificate_password = your_password
to specify the password for your custom key certificate file. - The default server-side key certificate file is located at
Doris/fe/mysql_ssl_default_certificate/server_certificate.p12
, with a default password ofdoris
. You can modify the FE configuration fileconf/fe.conf
to addmysql_ssl_default_server_certificate = /path/to/your/certificate
to change the server-side key certificate file. You can also addmysql_ssl_default_server_certificate_password = your_password
to specify the password for your custom key certificate file. - By default, a client-side key certificate is also generated and stored in
Doris/fe/mysql_ssl_default_certificate/client-key.pem
andDoris/fe/mysql_ssl_default_certificate/client_certificate/
.
Custom key certificate file
In addition to the Doris default certificate file, you can also generate a custom certificate file through openssl
. Here are the steps (refer to Creating SSL Certificates and Keys Using OpenSSL):
- Generate the CA, server-side, and client-side keys and certificates:
# Generate the CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem
# Generate the server certificate and sign it with the above CA
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Generate the client certificate and sign it with the above CA
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
- Verify the created certificates:
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
- Combine your key and certificate in a PKCS#12 (P12) bundle. You can also specify a certificate format (PKCS12 by default). You can modify the conf/fe.conf configuration file and add parameter ssl_trust_store_type to specify the certificate format.
# Package the CA key and certificate
openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12
# Package the server-side key and certificate
openssl pkcs12 -inkey server-key.pem -in server.pem -export -out server_certificate.p12