Key Certificate Configuration

Enabling SSL functionality in Doris requires configuring both a CA key certificate and a server-side key certificate. To enable mutual authentication, a client-side key certificate must also be generated:

  • The default CA key certificate file is located at Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12, with a default password of doris. You can modify the FE configuration file conf/fe.conf to add mysql_ssl_default_ca_certificate = /path/to/your/certificate to change the CA key certificate file. You can also add mysql_ssl_default_ca_certificate_password = your_password to specify the password for your custom key certificate file.
  • The default server-side key certificate file is located at Doris/fe/mysql_ssl_default_certificate/server_certificate.p12, with a default password of doris. You can modify the FE configuration file conf/fe.conf to add mysql_ssl_default_server_certificate = /path/to/your/certificate to change the server-side key certificate file. You can also add mysql_ssl_default_server_certificate_password = your_password to specify the password for your custom key certificate file.
  • By default, a client-side key certificate is also generated and stored in Doris/fe/mysql_ssl_default_certificate/client-key.pem and Doris/fe/mysql_ssl_default_certificate/client_certificate/.

Custom key certificate file

In addition to the Doris default certificate file, you can also generate a custom certificate file through openssl. Here are the steps (refer to Creating SSL Certificates and Keys Using OpenSSL):

  1. Generate the CA, server-side, and client-side keys and certificates:
  1. # Generate the CA certificate
  2. openssl genrsa 2048 > ca-key.pem
  3. openssl req -new -x509 -nodes -days 3600 \
  4.         -key ca-key.pem -out ca.pem
  6. # Generate the server certificate and sign it with the above CA
  7. # server-cert.pem = public key, server-key.pem = private key
  8. openssl req -newkey rsa:2048 -days 3600 \
  9.         -nodes -keyout server-key.pem -out server-req.pem
  10. openssl rsa -in server-key.pem -out server-key.pem
  11. openssl x509 -req -in server-req.pem -days 3600 \
  12.         -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
  14. # Generate the client certificate and sign it with the above CA
  15. # client-cert.pem = public key, client-key.pem = private key
  16. openssl req -newkey rsa:2048 -days 3600 \
  17.         -nodes -keyout client-key.pem -out client-req.pem
  18. openssl rsa -in client-key.pem -out client-key.pem
  19. openssl x509 -req -in client-req.pem -days 3600 \
  20.         -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
  1. Verify the created certificates:
  1. openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
  1. Combine your key and certificate in a PKCS#12 (P12) bundle. You can also specify a certificate format (PKCS12 by default). You can modify the conf/fe.conf configuration file and add parameter ssl_trust_store_type to specify the certificate format.
  1. # Package the CA key and certificate
  2. openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12
  4. # Package the server-side key and certificate
  5. openssl pkcs12 -inkey server-key.pem -in server.pem -export -out server_certificate.p12

reference documents