This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris-website.git
The following commit(s) were added to refs/heads/master by this push:
new e1a8ea1d65f [opt] opt auth doc (#3336)
e1a8ea1d65f is described below
commit e1a8ea1d65fde133e3012cda8c34d816d3f214b8
Author: Mingyu Chen (Rayner) <[email protected]>
AuthorDate: Thu Feb 5 11:16:12 2026 +0800
[opt] opt auth doc (#3336)
## Versions
- [x] dev
- [x] 4.x
- [x] 3.x
- [ ] 2.1
## Languages
- [x] Chinese
- [x] English
## Docs Checklist
- [ ] Checked by AI
- [ ] Test Cases Built
---
docs/admin-manual/auth/certificate.md | 150 ++++++++++++++++-----
.../current/admin-manual/auth/certificate.md | 145 +++++++++++++++-----
.../version-3.x/admin-manual/auth/certificate.md | 145 +++++++++++++++-----
.../version-4.x/admin-manual/auth/certificate.md | 145 +++++++++++++++-----
.../version-3.x/admin-manual/auth/certificate.md | 150 ++++++++++++++++-----
.../version-4.x/admin-manual/auth/certificate.md | 150 ++++++++++++++++-----
6 files changed, 681 insertions(+), 204 deletions(-)
diff --git a/docs/admin-manual/auth/certificate.md
b/docs/admin-manual/auth/certificate.md
index c3bd55e7b33..bf27e98318a 100644
--- a/docs/admin-manual/auth/certificate.md
+++ b/docs/admin-manual/auth/certificate.md
@@ -1,62 +1,136 @@
---
{
- "title": "MySQL Client Certificate",
+ "title": "MySQL Secure Transport",
"language": "en",
- "description": "Doris supports SSL-based encrypted connections. It
currently supports TLS1.2 and TLS1.3 protocols."
+ "description": "Learn how to configure SSL/TLS encrypted connections for
Apache Doris to protect data transmission security between MySQL clients and
Doris. Supports TLS1.2/1.3 protocols with two modes: one-way authentication and
mTLS mutual authentication."
}
---
-## Communicate with the server over an encrypted connection
+This document describes how to configure SSL/TLS encryption for communication
between Doris and MySQL clients to protect data transmission security.
-Doris supports SSL-based encrypted connections. It currently supports TLS1.2
and TLS1.3 protocols. Doris' SSL mode can be enabled through the following
configuration:
-Modify the FE configuration file `conf/fe.conf` and add `enable_ssl = true`.
+## Overview
-Next, connect to Doris through `mysql` client, mysql supports three SSL modes:
+Doris supports SSL-based encrypted connections, currently supporting TLS1.2
and TLS1.3 protocols. By enabling SSL, you can ensure that data transmission
between clients and Doris FE is encrypted, preventing data from being
intercepted or tampered with during transmission.
-1. `mysql -uroot -P9030 -h127.0.0.1` is the same as `mysql
--ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`, both try to establish an SSL
encrypted connection at the beginning, if it fails , a normal connection is
attempted.
+Doris provides two SSL authentication modes:
-2. `mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`, do not use SSL
encrypted connection, use normal connection directly.
+| Authentication Mode | Description | Use Case |
+|---------|------|---------|
+| One-way authentication (default) | Only validates server certificate |
General security requirements |
+| Mutual authentication (mTLS) | Validates both server and client certificates
| High security requirements |
-3. `mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`, force the use of SSL
encrypted connections.
+## Quick Start
->Note:
->`--ssl-mode` parameter is introduced by mysql5.7.11 version, please refer to
[here](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)
for mysql client version lower than this version。
-Doris needs a key certificate file to verify the SSL encrypted connection. The
default key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default
password is `doris`. You can modify the FE configuration file `conf/fe. conf`,
add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the
key certificate file, and you can also add the password corresponding to your
custom key book file through `mysql_ssl_default_certificate_p [...]
+Enable SSL encrypted connections in just two steps:
-Doris also supports mTLS:
-Modify the FE configuration file `conf/fe.conf` and add
`ssl_force_client_auth=true`.
+**1. Enable SSL functionality in FE**
-Then you can connect to Doris via the `mysql` client:
+Modify the FE configuration file `conf/fe.conf`, add the following
configuration, and restart FE:
-`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+```properties
+enable_ssl = true
+```
+
+**2. Connect using MySQL client**
+
+```shell
+mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1
+```
+
+Doris has built-in default key certificate files, so SSL functionality can be
used without additional configuration.
-The default ca, cert, and key files are located in
`Doris/conf/mysql_ssl_default_certificate/client_certificate/`, named `ca.pem`,
`client-cert.pem`, and `client-key.pem` respectively.
+## Client Connection Methods
-You can also generate your own certificate files using openssl or keytool.
+When connecting to Doris via MySQL client, you can choose the following SSL
modes:
-## Key Certificate Configuration
+| SSL Mode | Description | Command Example |
+|---------|------|---------|
+| PREFERRED (default) | Attempts SSL connection first, falls back to regular
connection if failed | `mysql -uroot -P9030 -h127.0.0.1` |
+| DISABLE | Disables SSL, uses regular connection | `mysql --ssl-mode=DISABLE
-uroot -P9030 -h127.0.0.1` |
+| REQUIRED | Forces SSL connection | `mysql --ssl-mode=REQUIRED -uroot -P9030
-h127.0.0.1` |
-Enabling SSL functionality in Doris requires configuring both a CA key
certificate and a server-side key certificate. To enable mutual authentication,
a client-side key certificate must also be generated:
+:::note Note
+The `--ssl-mode` parameter was introduced in MySQL 5.7.11. For MySQL clients
below this version, please refer to the [MySQL official
documentation](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html).
+:::
-* The default CA key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`, with a default
password of `doris`. You can modify the FE configuration file `conf/fe.conf` to
add `mysql_ssl_default_ca_certificate = /path/to/your/certificate` to change
the CA key certificate file. You can also add
`mysql_ssl_default_ca_certificate_password = your_password` to specify the
password for your custom key certificate file.
+## Configuring Mutual Authentication (mTLS)
-* The default server-side key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`, with a default
password of `doris`. You can modify the FE configuration file `conf/fe.conf` to
add `mysql_ssl_default_server_certificate = /path/to/your/certificate` to
change the server-side key certificate file. You can also add
`mysql_ssl_default_server_certificate_password = your_password` to specify the
password for your custom key certificate file.
+If you need a higher level of security, you can enable mTLS mutual
authentication, which requires clients to also provide certificates for
identity verification.
-* By default, a client-side key certificate is also generated and stored in
`Doris/fe/mysql_ssl_default_certificate/client-key.pem` and
`Doris/fe/mysql_ssl_default_certificate/client_certificate/`.
+### Enable mTLS
-## Custom key certificate file
+Modify the FE configuration file `conf/fe.conf`, add the following
configuration, and restart FE:
+
+```properties
+enable_ssl = true
+ssl_force_client_auth = true
+```
-In addition to the Doris default certificate file, you can also generate a
custom certificate file through `openssl`. Here are the steps (refer to
[Creating SSL Certificates and Keys Using
OpenSSL](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)):
+### Client Connection
-1. Generate the CA, server-side, and client-side keys and certificates:
+When connecting with mTLS, the client needs to specify the CA certificate,
client certificate, and private key:
```shell
-# Generate the CA certificate
+mysql --ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 \
+ --tls-version=TLSv1.2 \
+ --ssl-ca=/path/to/your/ca.pem \
+ --ssl-cert=/path/to/your/client-cert.pem \
+ --ssl-key=/path/to/your/client-key.pem
+```
+
+Doris provides default client certificate files located in the
`Doris/conf/mysql_ssl_default_certificate/client_certificate/` directory:
+
+| File Name | Description |
+|-------|------|
+| `ca.pem` | CA certificate |
+| `client-cert.pem` | Client certificate |
+| `client-key.pem` | Client private key |
+
+## Certificate Configuration Details
+
+Enabling SSL functionality in Doris requires configuring CA key certificates
and Server-side key certificates. If mutual authentication is enabled,
Client-side key certificates must also be configured.
+
+### Default Certificates
+
+Doris has built-in default certificate files that can be used directly:
+
+| Certificate Type | Default Path | Default Password |
+|---------|---------|---------|
+| CA Certificate | `Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`
| `doris` |
+| Server-side Certificate |
`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12` | `doris` |
+| Client-side Certificate |
`Doris/fe/mysql_ssl_default_certificate/client_certificate/` | - |
+
+### Custom Certificates
+
+To use custom certificates, add the following configuration to the FE
configuration file `conf/fe.conf`:
+
+**CA Certificate Configuration**
+
+```properties
+mysql_ssl_default_ca_certificate = /path/to/your/ca_certificate.p12
+mysql_ssl_default_ca_certificate_password = your_password
+```
+
+**Server-side Certificate Configuration**
+
+```properties
+mysql_ssl_default_server_certificate = /path/to/your/server_certificate.p12
+mysql_ssl_default_server_certificate_password = your_password
+```
+
+## Generating Custom Certificates
+
+If you need to use your own certificates, you can generate them using OpenSSL.
For detailed steps, please refer to the [MySQL official documentation: Creating
SSL Certificates Using
OpenSSL](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html).
+
+### Step 1: Generate CA, Server-side, and Client-side Keys and Certificates
+
+```shell
+# Generate CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem
-# Generate the server certificate and sign it with the above CA
+# Generate Server-side certificate and sign with the above CA
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
@@ -64,7 +138,7 @@ openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
-# Generate the client certificate and sign it with the above CA
+# Generate Client-side certificate and sign with the above CA
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
@@ -73,22 +147,28 @@ openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
```
-2. Verify the created certificates:
+### Step 2: Verify Certificates
```shell
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
```
-3. Combine your key and certificate in a PKCS#12 (P12) bundle. You can also
specify a certificate format (PKCS12 by default). You can modify the
conf/fe.conf configuration file and add parameter ssl_trust_store_type to
specify the certificate format.
+### Step 3: Package into PKCS#12 Format
+
+Merge the CA key and certificate, and Server-side key and certificate
separately into PKCS#12 (P12) format for use by Doris:
```shell
-# Package the CA key and certificate
+# Package CA key and certificate
openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12
-# Package the server-side key and certificate
+# Package Server-side key and certificate
openssl pkcs12 -inkey server-key.pem -in server-cert.pem -export -out
server_certificate.p12
```
-:::info Note
-[reference
documents](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)
+:::tip Tip
+You can also modify the `conf/fe.conf` configuration file and add the
parameter `ssl_trust_store_type` to specify other certificate formats. The
default is PKCS12.
+:::
+
+:::info More Information
+For more information on generating self-signed certificates using OpenSSL,
please refer to the [IBM official
documentation](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl).
:::
\ No newline at end of file
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/certificate.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/certificate.md
index fa8c80a72dc..50ac46777b2 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/certificate.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/certificate.md
@@ -2,62 +2,135 @@
{
"title": "MySQL 安全传输",
"language": "zh-CN",
- "description":
"Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式:
修改FE配置文件conf/fe.conf,添加enablessl = true即可。"
+ "description": "了解如何为 Apache Doris 配置 SSL/TLS 加密连接,保护 MySQL 客户端与 Doris
之间的数据传输安全。支持 TLS1.2/1.3 协议,提供单向认证和 mTLS 双向认证两种模式。"
}
---
-## 加密连接 FE
+本文档介绍如何为 Doris 与 MySQL 客户端之间的通信配置 SSL/TLS 加密,以保护数据传输安全。
-Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式:
-修改FE配置文件`conf/fe.conf`,添加`enable_ssl = true`即可。
+## 概述
-接下来通过`mysql`客户端连接Doris,mysql支持三种SSL模式:
+Doris 支持基于 SSL 的加密连接,当前支持 TLS1.2 和 TLS1.3 协议。通过启用 SSL,可以确保客户端与 Doris FE
之间的数据传输经过加密,防止数据在传输过程中被窃取或篡改。
-1.`mysql -uroot -P9030 -h127.0.0.1`与`mysql --ssl-mode=PREFERRED -uroot -P9030
-h127.0.0.1`一样,都是一开始试图建立SSL加密连接,如果失败,则尝试使用普通连接。
+Doris 提供两种 SSL 认证模式:
-2.`mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`,不使用SSL加密连接,直接使用普通连接。
+| 认证模式 | 说明 | 适用场景 |
+|---------|------|---------|
+| 单向认证(默认) | 仅验证服务端证书 | 一般安全需求场景 |
+| 双向认证(mTLS) | 同时验证服务端和客户端证书 | 高安全需求场景 |
-3.`mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接。
+## 快速开始
->注意:
->`--ssl-mode`参数是mysql5.7.11版本引入的,低于此版本的mysql客户端请参考[这里](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
-Doris开启SSL加密连接需要密钥证书文件验证,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate
=
/path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password
= your_password`添加对应您自定义密钥书文件的密码。
+只需两步即可启用 SSL 加密连接:
-Doris还支持mTLS:
-修改FE配置文件`conf/fe.conf`,添加`ssl_force_client_auth=true`即可。
+**1. 开启 FE 的 SSL 功能**
-接下来可以通过`mysql`客户端连接Doris:
+修改 FE 配置文件 `conf/fe.conf`,添加以下配置后重启 FE:
-`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+```properties
+enable_ssl = true
+```
-默认的ca,cert,key文件位于`Doris/conf/mysql_ssl_default_certificate/client_certificate/`,分别叫做`ca.pem`,`client-cert.pem`,`client-key.pem`。
+**2. 使用 MySQL 客户端连接**
-你也可以通过openssl或者keytool生成自己的证书文件。
+```shell
+mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1
+```
-## SSL密钥证书配置
+Doris 内置了默认的密钥证书文件,因此无需额外配置即可使用 SSL 功能。
-Doris 开启 SSL 功能需要配置 CA 密钥证书和 Server 端密钥证书,如需开启双向认证,还需生成 Client 端密钥证书:
+## 客户端连接方式
-* 默认的 CA
密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`,默认密码为`doris`,您可以通过修改
FE 配置文件`conf/fe.conf`,添加`mysql_ssl_default_ca_certificate =
/path/to/your/certificate`修改 CA
密钥证书文件,同时也可以通过`mysql_ssl_default_ca_certificate_password =
your_password`添加对应您自定义密钥证书文件的密码。
+通过 MySQL 客户端连接 Doris 时,可以选择以下 SSL 模式:
-* 默认的 Server
端密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`,默认密码为`doris`,您可以通过修改
FE 配置文件`conf/fe.conf`,添加`mysql_ssl_default_server_certificate =
/path/to/your/certificate`修改 Server
端密钥证书文件,同时也可以通过`mysql_ssl_default_server_certificate_password =
your_password`添加对应您自定义密钥证书文件的密码。
+| SSL 模式 | 说明 | 命令示例 |
+|---------|------|---------|
+| PREFERRED(默认) | 优先尝试 SSL 连接,失败则回退到普通连接 | `mysql -uroot -P9030 -h127.0.0.1` |
+| DISABLE | 禁用 SSL,使用普通连接 | `mysql --ssl-mode=DISABLE -uroot -P9030
-h127.0.0.1` |
+| REQUIRED | 强制使用 SSL 连接 | `mysql --ssl-mode=REQUIRED -uroot -P9030
-h127.0.0.1` |
+
+:::note 注意
+`--ssl-mode` 参数是 MySQL 5.7.11 版本引入的,低于此版本的 MySQL 客户端请参考 [MySQL
官方文档](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
+:::
-* 默认生成了一份 Client
端的密钥证书,分别存放在`Doris/fe/mysql_ssl_default_certificate/client-key.pem`和`Doris/fe/mysql_ssl_default_certificate/client_certificate/`。
+## 配置双向认证(mTLS)
-## 自定义密钥证书文件
+如果您需要更高的安全级别,可以启用 mTLS 双向认证,要求客户端也提供证书进行身份验证。
+
+### 开启 mTLS
+
+修改 FE 配置文件 `conf/fe.conf`,添加以下配置后重启 FE:
+
+```properties
+enable_ssl = true
+ssl_force_client_auth = true
+```
-除了 Doris 默认的证书文件,您也可以通过`openssl`生成自定义的证书文件。步骤参考[MySQL 生成 SSL
证书](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)
-具体如下:
+### 客户端连接
-1. 生成 CA、Server 端和 Client 端的密钥和证书
+使用 mTLS 连接时,客户端需要指定 CA 证书、客户端证书和私钥:
```shell
-# 生成 CA certificate
+mysql --ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 \
+ --tls-version=TLSv1.2 \
+ --ssl-ca=/path/to/your/ca.pem \
+ --ssl-cert=/path/to/your/client-cert.pem \
+ --ssl-key=/path/to/your/client-key.pem
+```
+
+Doris 提供了默认的客户端证书文件,位于
`Doris/conf/mysql_ssl_default_certificate/client_certificate/` 目录下:
+
+| 文件名 | 说明 |
+|-------|------|
+| `ca.pem` | CA 证书 |
+| `client-cert.pem` | 客户端证书 |
+| `client-key.pem` | 客户端私钥 |
+
+## 证书配置详解
+
+Doris 开启 SSL 功能需要配置 CA 密钥证书和 Server 端密钥证书。如需开启双向认证,还需配置 Client 端密钥证书。
+
+### 默认证书
+
+Doris 内置了默认的证书文件,可直接使用:
+
+| 证书类型 | 默认路径 | 默认密码 |
+|---------|---------|---------|
+| CA 证书 | `Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12` |
`doris` |
+| Server 端证书 | `Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`
| `doris` |
+| Client 端证书 | `Doris/fe/mysql_ssl_default_certificate/client_certificate/` |
- |
+
+### 自定义证书
+
+如需使用自定义证书,可在 FE 配置文件 `conf/fe.conf` 中添加以下配置:
+
+**CA 证书配置**
+
+```properties
+mysql_ssl_default_ca_certificate = /path/to/your/ca_certificate.p12
+mysql_ssl_default_ca_certificate_password = your_password
+```
+
+**Server 端证书配置**
+
+```properties
+mysql_ssl_default_server_certificate = /path/to/your/server_certificate.p12
+mysql_ssl_default_server_certificate_password = your_password
+```
+
+## 生成自定义证书
+
+如果您需要使用自己的证书,可以通过 OpenSSL 生成。具体步骤请参考 [MySQL 官方文档:生成 SSL
证书](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)。
+
+### 步骤 1:生成 CA、Server 端和 Client 端的密钥和证书
+
+```shell
+# 生成 CA 证书
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem
-# 生成 server certificate, 并用上述 CA 签名
+# 生成 Server 端证书,并用上述 CA 签名
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
@@ -65,7 +138,7 @@ openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
-# 生成 client certificate, 并用上述 CA 签名
+# 生成 Client 端证书,并用上述 CA 签名
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
@@ -74,13 +147,15 @@ openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
```
-2. 验证创建的证书。
+### 步骤 2:验证证书
```shell
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
```
-3. 将您的 CA 密钥和证书和 Server 端密钥和证书分别合并到 PKCS#12 (P12) 包中。您也可以指定某个证书格式,默认
PKCS12,可以通过修改 conf/fe.conf 配置文件,添加参数 ssl_trust_store_type 指定证书格式
+### 步骤 3:打包为 PKCS#12 格式
+
+将 CA 密钥和证书、Server 端密钥和证书分别合并为 PKCS#12(P12)格式,以便 Doris 使用:
```shell
# 打包 CA 密钥和证书
@@ -90,6 +165,10 @@ openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out
ca_certificate.p12
openssl pkcs12 -inkey server-key.pem -in server-cert.pem -export -out
server_certificate.p12
```
-:::info Note
-[参考文档](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)
+:::tip 提示
+您也可以通过修改 `conf/fe.conf` 配置文件,添加参数 `ssl_trust_store_type` 来指定其他证书格式,默认为 PKCS12。
+:::
+
+:::info 更多信息
+关于使用 OpenSSL 生成自签名证书的更多信息,请参考 [IBM
官方文档](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)。
:::
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/admin-manual/auth/certificate.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/admin-manual/auth/certificate.md
index fa8c80a72dc..50ac46777b2 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/admin-manual/auth/certificate.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/admin-manual/auth/certificate.md
@@ -2,62 +2,135 @@
{
"title": "MySQL 安全传输",
"language": "zh-CN",
- "description":
"Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式:
修改FE配置文件conf/fe.conf,添加enablessl = true即可。"
+ "description": "了解如何为 Apache Doris 配置 SSL/TLS 加密连接,保护 MySQL 客户端与 Doris
之间的数据传输安全。支持 TLS1.2/1.3 协议,提供单向认证和 mTLS 双向认证两种模式。"
}
---
-## 加密连接 FE
+本文档介绍如何为 Doris 与 MySQL 客户端之间的通信配置 SSL/TLS 加密,以保护数据传输安全。
-Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式:
-修改FE配置文件`conf/fe.conf`,添加`enable_ssl = true`即可。
+## 概述
-接下来通过`mysql`客户端连接Doris,mysql支持三种SSL模式:
+Doris 支持基于 SSL 的加密连接,当前支持 TLS1.2 和 TLS1.3 协议。通过启用 SSL,可以确保客户端与 Doris FE
之间的数据传输经过加密,防止数据在传输过程中被窃取或篡改。
-1.`mysql -uroot -P9030 -h127.0.0.1`与`mysql --ssl-mode=PREFERRED -uroot -P9030
-h127.0.0.1`一样,都是一开始试图建立SSL加密连接,如果失败,则尝试使用普通连接。
+Doris 提供两种 SSL 认证模式:
-2.`mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`,不使用SSL加密连接,直接使用普通连接。
+| 认证模式 | 说明 | 适用场景 |
+|---------|------|---------|
+| 单向认证(默认) | 仅验证服务端证书 | 一般安全需求场景 |
+| 双向认证(mTLS) | 同时验证服务端和客户端证书 | 高安全需求场景 |
-3.`mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接。
+## 快速开始
->注意:
->`--ssl-mode`参数是mysql5.7.11版本引入的,低于此版本的mysql客户端请参考[这里](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
-Doris开启SSL加密连接需要密钥证书文件验证,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate
=
/path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password
= your_password`添加对应您自定义密钥书文件的密码。
+只需两步即可启用 SSL 加密连接:
-Doris还支持mTLS:
-修改FE配置文件`conf/fe.conf`,添加`ssl_force_client_auth=true`即可。
+**1. 开启 FE 的 SSL 功能**
-接下来可以通过`mysql`客户端连接Doris:
+修改 FE 配置文件 `conf/fe.conf`,添加以下配置后重启 FE:
-`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+```properties
+enable_ssl = true
+```
-默认的ca,cert,key文件位于`Doris/conf/mysql_ssl_default_certificate/client_certificate/`,分别叫做`ca.pem`,`client-cert.pem`,`client-key.pem`。
+**2. 使用 MySQL 客户端连接**
-你也可以通过openssl或者keytool生成自己的证书文件。
+```shell
+mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1
+```
-## SSL密钥证书配置
+Doris 内置了默认的密钥证书文件,因此无需额外配置即可使用 SSL 功能。
-Doris 开启 SSL 功能需要配置 CA 密钥证书和 Server 端密钥证书,如需开启双向认证,还需生成 Client 端密钥证书:
+## 客户端连接方式
-* 默认的 CA
密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`,默认密码为`doris`,您可以通过修改
FE 配置文件`conf/fe.conf`,添加`mysql_ssl_default_ca_certificate =
/path/to/your/certificate`修改 CA
密钥证书文件,同时也可以通过`mysql_ssl_default_ca_certificate_password =
your_password`添加对应您自定义密钥证书文件的密码。
+通过 MySQL 客户端连接 Doris 时,可以选择以下 SSL 模式:
-* 默认的 Server
端密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`,默认密码为`doris`,您可以通过修改
FE 配置文件`conf/fe.conf`,添加`mysql_ssl_default_server_certificate =
/path/to/your/certificate`修改 Server
端密钥证书文件,同时也可以通过`mysql_ssl_default_server_certificate_password =
your_password`添加对应您自定义密钥证书文件的密码。
+| SSL 模式 | 说明 | 命令示例 |
+|---------|------|---------|
+| PREFERRED(默认) | 优先尝试 SSL 连接,失败则回退到普通连接 | `mysql -uroot -P9030 -h127.0.0.1` |
+| DISABLE | 禁用 SSL,使用普通连接 | `mysql --ssl-mode=DISABLE -uroot -P9030
-h127.0.0.1` |
+| REQUIRED | 强制使用 SSL 连接 | `mysql --ssl-mode=REQUIRED -uroot -P9030
-h127.0.0.1` |
+
+:::note 注意
+`--ssl-mode` 参数是 MySQL 5.7.11 版本引入的,低于此版本的 MySQL 客户端请参考 [MySQL
官方文档](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
+:::
-* 默认生成了一份 Client
端的密钥证书,分别存放在`Doris/fe/mysql_ssl_default_certificate/client-key.pem`和`Doris/fe/mysql_ssl_default_certificate/client_certificate/`。
+## 配置双向认证(mTLS)
-## 自定义密钥证书文件
+如果您需要更高的安全级别,可以启用 mTLS 双向认证,要求客户端也提供证书进行身份验证。
+
+### 开启 mTLS
+
+修改 FE 配置文件 `conf/fe.conf`,添加以下配置后重启 FE:
+
+```properties
+enable_ssl = true
+ssl_force_client_auth = true
+```
-除了 Doris 默认的证书文件,您也可以通过`openssl`生成自定义的证书文件。步骤参考[MySQL 生成 SSL
证书](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)
-具体如下:
+### 客户端连接
-1. 生成 CA、Server 端和 Client 端的密钥和证书
+使用 mTLS 连接时,客户端需要指定 CA 证书、客户端证书和私钥:
```shell
-# 生成 CA certificate
+mysql --ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 \
+ --tls-version=TLSv1.2 \
+ --ssl-ca=/path/to/your/ca.pem \
+ --ssl-cert=/path/to/your/client-cert.pem \
+ --ssl-key=/path/to/your/client-key.pem
+```
+
+Doris 提供了默认的客户端证书文件,位于
`Doris/conf/mysql_ssl_default_certificate/client_certificate/` 目录下:
+
+| 文件名 | 说明 |
+|-------|------|
+| `ca.pem` | CA 证书 |
+| `client-cert.pem` | 客户端证书 |
+| `client-key.pem` | 客户端私钥 |
+
+## 证书配置详解
+
+Doris 开启 SSL 功能需要配置 CA 密钥证书和 Server 端密钥证书。如需开启双向认证,还需配置 Client 端密钥证书。
+
+### 默认证书
+
+Doris 内置了默认的证书文件,可直接使用:
+
+| 证书类型 | 默认路径 | 默认密码 |
+|---------|---------|---------|
+| CA 证书 | `Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12` |
`doris` |
+| Server 端证书 | `Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`
| `doris` |
+| Client 端证书 | `Doris/fe/mysql_ssl_default_certificate/client_certificate/` |
- |
+
+### 自定义证书
+
+如需使用自定义证书,可在 FE 配置文件 `conf/fe.conf` 中添加以下配置:
+
+**CA 证书配置**
+
+```properties
+mysql_ssl_default_ca_certificate = /path/to/your/ca_certificate.p12
+mysql_ssl_default_ca_certificate_password = your_password
+```
+
+**Server 端证书配置**
+
+```properties
+mysql_ssl_default_server_certificate = /path/to/your/server_certificate.p12
+mysql_ssl_default_server_certificate_password = your_password
+```
+
+## 生成自定义证书
+
+如果您需要使用自己的证书,可以通过 OpenSSL 生成。具体步骤请参考 [MySQL 官方文档:生成 SSL
证书](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)。
+
+### 步骤 1:生成 CA、Server 端和 Client 端的密钥和证书
+
+```shell
+# 生成 CA 证书
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem
-# 生成 server certificate, 并用上述 CA 签名
+# 生成 Server 端证书,并用上述 CA 签名
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
@@ -65,7 +138,7 @@ openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
-# 生成 client certificate, 并用上述 CA 签名
+# 生成 Client 端证书,并用上述 CA 签名
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
@@ -74,13 +147,15 @@ openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
```
-2. 验证创建的证书。
+### 步骤 2:验证证书
```shell
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
```
-3. 将您的 CA 密钥和证书和 Server 端密钥和证书分别合并到 PKCS#12 (P12) 包中。您也可以指定某个证书格式,默认
PKCS12,可以通过修改 conf/fe.conf 配置文件,添加参数 ssl_trust_store_type 指定证书格式
+### 步骤 3:打包为 PKCS#12 格式
+
+将 CA 密钥和证书、Server 端密钥和证书分别合并为 PKCS#12(P12)格式,以便 Doris 使用:
```shell
# 打包 CA 密钥和证书
@@ -90,6 +165,10 @@ openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out
ca_certificate.p12
openssl pkcs12 -inkey server-key.pem -in server-cert.pem -export -out
server_certificate.p12
```
-:::info Note
-[参考文档](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)
+:::tip 提示
+您也可以通过修改 `conf/fe.conf` 配置文件,添加参数 `ssl_trust_store_type` 来指定其他证书格式,默认为 PKCS12。
+:::
+
+:::info 更多信息
+关于使用 OpenSSL 生成自签名证书的更多信息,请参考 [IBM
官方文档](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)。
:::
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/admin-manual/auth/certificate.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/admin-manual/auth/certificate.md
index fa8c80a72dc..50ac46777b2 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/admin-manual/auth/certificate.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/admin-manual/auth/certificate.md
@@ -2,62 +2,135 @@
{
"title": "MySQL 安全传输",
"language": "zh-CN",
- "description":
"Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式:
修改FE配置文件conf/fe.conf,添加enablessl = true即可。"
+ "description": "了解如何为 Apache Doris 配置 SSL/TLS 加密连接,保护 MySQL 客户端与 Doris
之间的数据传输安全。支持 TLS1.2/1.3 协议,提供单向认证和 mTLS 双向认证两种模式。"
}
---
-## 加密连接 FE
+本文档介绍如何为 Doris 与 MySQL 客户端之间的通信配置 SSL/TLS 加密,以保护数据传输安全。
-Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式:
-修改FE配置文件`conf/fe.conf`,添加`enable_ssl = true`即可。
+## 概述
-接下来通过`mysql`客户端连接Doris,mysql支持三种SSL模式:
+Doris 支持基于 SSL 的加密连接,当前支持 TLS1.2 和 TLS1.3 协议。通过启用 SSL,可以确保客户端与 Doris FE
之间的数据传输经过加密,防止数据在传输过程中被窃取或篡改。
-1.`mysql -uroot -P9030 -h127.0.0.1`与`mysql --ssl-mode=PREFERRED -uroot -P9030
-h127.0.0.1`一样,都是一开始试图建立SSL加密连接,如果失败,则尝试使用普通连接。
+Doris 提供两种 SSL 认证模式:
-2.`mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`,不使用SSL加密连接,直接使用普通连接。
+| 认证模式 | 说明 | 适用场景 |
+|---------|------|---------|
+| 单向认证(默认) | 仅验证服务端证书 | 一般安全需求场景 |
+| 双向认证(mTLS) | 同时验证服务端和客户端证书 | 高安全需求场景 |
-3.`mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接。
+## 快速开始
->注意:
->`--ssl-mode`参数是mysql5.7.11版本引入的,低于此版本的mysql客户端请参考[这里](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
-Doris开启SSL加密连接需要密钥证书文件验证,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate
=
/path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password
= your_password`添加对应您自定义密钥书文件的密码。
+只需两步即可启用 SSL 加密连接:
-Doris还支持mTLS:
-修改FE配置文件`conf/fe.conf`,添加`ssl_force_client_auth=true`即可。
+**1. 开启 FE 的 SSL 功能**
-接下来可以通过`mysql`客户端连接Doris:
+修改 FE 配置文件 `conf/fe.conf`,添加以下配置后重启 FE:
-`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+```properties
+enable_ssl = true
+```
-默认的ca,cert,key文件位于`Doris/conf/mysql_ssl_default_certificate/client_certificate/`,分别叫做`ca.pem`,`client-cert.pem`,`client-key.pem`。
+**2. 使用 MySQL 客户端连接**
-你也可以通过openssl或者keytool生成自己的证书文件。
+```shell
+mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1
+```
-## SSL密钥证书配置
+Doris 内置了默认的密钥证书文件,因此无需额外配置即可使用 SSL 功能。
-Doris 开启 SSL 功能需要配置 CA 密钥证书和 Server 端密钥证书,如需开启双向认证,还需生成 Client 端密钥证书:
+## 客户端连接方式
-* 默认的 CA
密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`,默认密码为`doris`,您可以通过修改
FE 配置文件`conf/fe.conf`,添加`mysql_ssl_default_ca_certificate =
/path/to/your/certificate`修改 CA
密钥证书文件,同时也可以通过`mysql_ssl_default_ca_certificate_password =
your_password`添加对应您自定义密钥证书文件的密码。
+通过 MySQL 客户端连接 Doris 时,可以选择以下 SSL 模式:
-* 默认的 Server
端密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`,默认密码为`doris`,您可以通过修改
FE 配置文件`conf/fe.conf`,添加`mysql_ssl_default_server_certificate =
/path/to/your/certificate`修改 Server
端密钥证书文件,同时也可以通过`mysql_ssl_default_server_certificate_password =
your_password`添加对应您自定义密钥证书文件的密码。
+| SSL 模式 | 说明 | 命令示例 |
+|---------|------|---------|
+| PREFERRED(默认) | 优先尝试 SSL 连接,失败则回退到普通连接 | `mysql -uroot -P9030 -h127.0.0.1` |
+| DISABLE | 禁用 SSL,使用普通连接 | `mysql --ssl-mode=DISABLE -uroot -P9030
-h127.0.0.1` |
+| REQUIRED | 强制使用 SSL 连接 | `mysql --ssl-mode=REQUIRED -uroot -P9030
-h127.0.0.1` |
+
+:::note 注意
+`--ssl-mode` 参数是 MySQL 5.7.11 版本引入的,低于此版本的 MySQL 客户端请参考 [MySQL
官方文档](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
+:::
-* 默认生成了一份 Client
端的密钥证书,分别存放在`Doris/fe/mysql_ssl_default_certificate/client-key.pem`和`Doris/fe/mysql_ssl_default_certificate/client_certificate/`。
+## 配置双向认证(mTLS)
-## 自定义密钥证书文件
+如果您需要更高的安全级别,可以启用 mTLS 双向认证,要求客户端也提供证书进行身份验证。
+
+### 开启 mTLS
+
+修改 FE 配置文件 `conf/fe.conf`,添加以下配置后重启 FE:
+
+```properties
+enable_ssl = true
+ssl_force_client_auth = true
+```
-除了 Doris 默认的证书文件,您也可以通过`openssl`生成自定义的证书文件。步骤参考[MySQL 生成 SSL
证书](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)
-具体如下:
+### 客户端连接
-1. 生成 CA、Server 端和 Client 端的密钥和证书
+使用 mTLS 连接时,客户端需要指定 CA 证书、客户端证书和私钥:
```shell
-# 生成 CA certificate
+mysql --ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 \
+ --tls-version=TLSv1.2 \
+ --ssl-ca=/path/to/your/ca.pem \
+ --ssl-cert=/path/to/your/client-cert.pem \
+ --ssl-key=/path/to/your/client-key.pem
+```
+
+Doris 提供了默认的客户端证书文件,位于
`Doris/conf/mysql_ssl_default_certificate/client_certificate/` 目录下:
+
+| 文件名 | 说明 |
+|-------|------|
+| `ca.pem` | CA 证书 |
+| `client-cert.pem` | 客户端证书 |
+| `client-key.pem` | 客户端私钥 |
+
+## 证书配置详解
+
+Doris 开启 SSL 功能需要配置 CA 密钥证书和 Server 端密钥证书。如需开启双向认证,还需配置 Client 端密钥证书。
+
+### 默认证书
+
+Doris 内置了默认的证书文件,可直接使用:
+
+| 证书类型 | 默认路径 | 默认密码 |
+|---------|---------|---------|
+| CA 证书 | `Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12` |
`doris` |
+| Server 端证书 | `Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`
| `doris` |
+| Client 端证书 | `Doris/fe/mysql_ssl_default_certificate/client_certificate/` |
- |
+
+### 自定义证书
+
+如需使用自定义证书,可在 FE 配置文件 `conf/fe.conf` 中添加以下配置:
+
+**CA 证书配置**
+
+```properties
+mysql_ssl_default_ca_certificate = /path/to/your/ca_certificate.p12
+mysql_ssl_default_ca_certificate_password = your_password
+```
+
+**Server 端证书配置**
+
+```properties
+mysql_ssl_default_server_certificate = /path/to/your/server_certificate.p12
+mysql_ssl_default_server_certificate_password = your_password
+```
+
+## 生成自定义证书
+
+如果您需要使用自己的证书,可以通过 OpenSSL 生成。具体步骤请参考 [MySQL 官方文档:生成 SSL
证书](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)。
+
+### 步骤 1:生成 CA、Server 端和 Client 端的密钥和证书
+
+```shell
+# 生成 CA 证书
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem
-# 生成 server certificate, 并用上述 CA 签名
+# 生成 Server 端证书,并用上述 CA 签名
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
@@ -65,7 +138,7 @@ openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
-# 生成 client certificate, 并用上述 CA 签名
+# 生成 Client 端证书,并用上述 CA 签名
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
@@ -74,13 +147,15 @@ openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
```
-2. 验证创建的证书。
+### 步骤 2:验证证书
```shell
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
```
-3. 将您的 CA 密钥和证书和 Server 端密钥和证书分别合并到 PKCS#12 (P12) 包中。您也可以指定某个证书格式,默认
PKCS12,可以通过修改 conf/fe.conf 配置文件,添加参数 ssl_trust_store_type 指定证书格式
+### 步骤 3:打包为 PKCS#12 格式
+
+将 CA 密钥和证书、Server 端密钥和证书分别合并为 PKCS#12(P12)格式,以便 Doris 使用:
```shell
# 打包 CA 密钥和证书
@@ -90,6 +165,10 @@ openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out
ca_certificate.p12
openssl pkcs12 -inkey server-key.pem -in server-cert.pem -export -out
server_certificate.p12
```
-:::info Note
-[参考文档](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)
+:::tip 提示
+您也可以通过修改 `conf/fe.conf` 配置文件,添加参数 `ssl_trust_store_type` 来指定其他证书格式,默认为 PKCS12。
+:::
+
+:::info 更多信息
+关于使用 OpenSSL 生成自签名证书的更多信息,请参考 [IBM
官方文档](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)。
:::
diff --git a/versioned_docs/version-3.x/admin-manual/auth/certificate.md
b/versioned_docs/version-3.x/admin-manual/auth/certificate.md
index c3bd55e7b33..bf27e98318a 100644
--- a/versioned_docs/version-3.x/admin-manual/auth/certificate.md
+++ b/versioned_docs/version-3.x/admin-manual/auth/certificate.md
@@ -1,62 +1,136 @@
---
{
- "title": "MySQL Client Certificate",
+ "title": "MySQL Secure Transport",
"language": "en",
- "description": "Doris supports SSL-based encrypted connections. It
currently supports TLS1.2 and TLS1.3 protocols."
+ "description": "Learn how to configure SSL/TLS encrypted connections for
Apache Doris to protect data transmission security between MySQL clients and
Doris. Supports TLS1.2/1.3 protocols with two modes: one-way authentication and
mTLS mutual authentication."
}
---
-## Communicate with the server over an encrypted connection
+This document describes how to configure SSL/TLS encryption for communication
between Doris and MySQL clients to protect data transmission security.
-Doris supports SSL-based encrypted connections. It currently supports TLS1.2
and TLS1.3 protocols. Doris' SSL mode can be enabled through the following
configuration:
-Modify the FE configuration file `conf/fe.conf` and add `enable_ssl = true`.
+## Overview
-Next, connect to Doris through `mysql` client, mysql supports three SSL modes:
+Doris supports SSL-based encrypted connections, currently supporting TLS1.2
and TLS1.3 protocols. By enabling SSL, you can ensure that data transmission
between clients and Doris FE is encrypted, preventing data from being
intercepted or tampered with during transmission.
-1. `mysql -uroot -P9030 -h127.0.0.1` is the same as `mysql
--ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`, both try to establish an SSL
encrypted connection at the beginning, if it fails , a normal connection is
attempted.
+Doris provides two SSL authentication modes:
-2. `mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`, do not use SSL
encrypted connection, use normal connection directly.
+| Authentication Mode | Description | Use Case |
+|---------|------|---------|
+| One-way authentication (default) | Only validates server certificate |
General security requirements |
+| Mutual authentication (mTLS) | Validates both server and client certificates
| High security requirements |
-3. `mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`, force the use of SSL
encrypted connections.
+## Quick Start
->Note:
->`--ssl-mode` parameter is introduced by mysql5.7.11 version, please refer to
[here](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)
for mysql client version lower than this version。
-Doris needs a key certificate file to verify the SSL encrypted connection. The
default key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default
password is `doris`. You can modify the FE configuration file `conf/fe. conf`,
add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the
key certificate file, and you can also add the password corresponding to your
custom key book file through `mysql_ssl_default_certificate_p [...]
+Enable SSL encrypted connections in just two steps:
-Doris also supports mTLS:
-Modify the FE configuration file `conf/fe.conf` and add
`ssl_force_client_auth=true`.
+**1. Enable SSL functionality in FE**
-Then you can connect to Doris via the `mysql` client:
+Modify the FE configuration file `conf/fe.conf`, add the following
configuration, and restart FE:
-`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+```properties
+enable_ssl = true
+```
+
+**2. Connect using MySQL client**
+
+```shell
+mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1
+```
+
+Doris has built-in default key certificate files, so SSL functionality can be
used without additional configuration.
-The default ca, cert, and key files are located in
`Doris/conf/mysql_ssl_default_certificate/client_certificate/`, named `ca.pem`,
`client-cert.pem`, and `client-key.pem` respectively.
+## Client Connection Methods
-You can also generate your own certificate files using openssl or keytool.
+When connecting to Doris via MySQL client, you can choose the following SSL
modes:
-## Key Certificate Configuration
+| SSL Mode | Description | Command Example |
+|---------|------|---------|
+| PREFERRED (default) | Attempts SSL connection first, falls back to regular
connection if failed | `mysql -uroot -P9030 -h127.0.0.1` |
+| DISABLE | Disables SSL, uses regular connection | `mysql --ssl-mode=DISABLE
-uroot -P9030 -h127.0.0.1` |
+| REQUIRED | Forces SSL connection | `mysql --ssl-mode=REQUIRED -uroot -P9030
-h127.0.0.1` |
-Enabling SSL functionality in Doris requires configuring both a CA key
certificate and a server-side key certificate. To enable mutual authentication,
a client-side key certificate must also be generated:
+:::note Note
+The `--ssl-mode` parameter was introduced in MySQL 5.7.11. For MySQL clients
below this version, please refer to the [MySQL official
documentation](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html).
+:::
-* The default CA key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`, with a default
password of `doris`. You can modify the FE configuration file `conf/fe.conf` to
add `mysql_ssl_default_ca_certificate = /path/to/your/certificate` to change
the CA key certificate file. You can also add
`mysql_ssl_default_ca_certificate_password = your_password` to specify the
password for your custom key certificate file.
+## Configuring Mutual Authentication (mTLS)
-* The default server-side key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`, with a default
password of `doris`. You can modify the FE configuration file `conf/fe.conf` to
add `mysql_ssl_default_server_certificate = /path/to/your/certificate` to
change the server-side key certificate file. You can also add
`mysql_ssl_default_server_certificate_password = your_password` to specify the
password for your custom key certificate file.
+If you need a higher level of security, you can enable mTLS mutual
authentication, which requires clients to also provide certificates for
identity verification.
-* By default, a client-side key certificate is also generated and stored in
`Doris/fe/mysql_ssl_default_certificate/client-key.pem` and
`Doris/fe/mysql_ssl_default_certificate/client_certificate/`.
+### Enable mTLS
-## Custom key certificate file
+Modify the FE configuration file `conf/fe.conf`, add the following
configuration, and restart FE:
+
+```properties
+enable_ssl = true
+ssl_force_client_auth = true
+```
-In addition to the Doris default certificate file, you can also generate a
custom certificate file through `openssl`. Here are the steps (refer to
[Creating SSL Certificates and Keys Using
OpenSSL](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)):
+### Client Connection
-1. Generate the CA, server-side, and client-side keys and certificates:
+When connecting with mTLS, the client needs to specify the CA certificate,
client certificate, and private key:
```shell
-# Generate the CA certificate
+mysql --ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 \
+ --tls-version=TLSv1.2 \
+ --ssl-ca=/path/to/your/ca.pem \
+ --ssl-cert=/path/to/your/client-cert.pem \
+ --ssl-key=/path/to/your/client-key.pem
+```
+
+Doris provides default client certificate files located in the
`Doris/conf/mysql_ssl_default_certificate/client_certificate/` directory:
+
+| File Name | Description |
+|-------|------|
+| `ca.pem` | CA certificate |
+| `client-cert.pem` | Client certificate |
+| `client-key.pem` | Client private key |
+
+## Certificate Configuration Details
+
+Enabling SSL functionality in Doris requires configuring CA key certificates
and Server-side key certificates. If mutual authentication is enabled,
Client-side key certificates must also be configured.
+
+### Default Certificates
+
+Doris has built-in default certificate files that can be used directly:
+
+| Certificate Type | Default Path | Default Password |
+|---------|---------|---------|
+| CA Certificate | `Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`
| `doris` |
+| Server-side Certificate |
`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12` | `doris` |
+| Client-side Certificate |
`Doris/fe/mysql_ssl_default_certificate/client_certificate/` | - |
+
+### Custom Certificates
+
+To use custom certificates, add the following configuration to the FE
configuration file `conf/fe.conf`:
+
+**CA Certificate Configuration**
+
+```properties
+mysql_ssl_default_ca_certificate = /path/to/your/ca_certificate.p12
+mysql_ssl_default_ca_certificate_password = your_password
+```
+
+**Server-side Certificate Configuration**
+
+```properties
+mysql_ssl_default_server_certificate = /path/to/your/server_certificate.p12
+mysql_ssl_default_server_certificate_password = your_password
+```
+
+## Generating Custom Certificates
+
+If you need to use your own certificates, you can generate them using OpenSSL.
For detailed steps, please refer to the [MySQL official documentation: Creating
SSL Certificates Using
OpenSSL](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html).
+
+### Step 1: Generate CA, Server-side, and Client-side Keys and Certificates
+
+```shell
+# Generate CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem
-# Generate the server certificate and sign it with the above CA
+# Generate Server-side certificate and sign with the above CA
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
@@ -64,7 +138,7 @@ openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
-# Generate the client certificate and sign it with the above CA
+# Generate Client-side certificate and sign with the above CA
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
@@ -73,22 +147,28 @@ openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
```
-2. Verify the created certificates:
+### Step 2: Verify Certificates
```shell
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
```
-3. Combine your key and certificate in a PKCS#12 (P12) bundle. You can also
specify a certificate format (PKCS12 by default). You can modify the
conf/fe.conf configuration file and add parameter ssl_trust_store_type to
specify the certificate format.
+### Step 3: Package into PKCS#12 Format
+
+Merge the CA key and certificate, and Server-side key and certificate
separately into PKCS#12 (P12) format for use by Doris:
```shell
-# Package the CA key and certificate
+# Package CA key and certificate
openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12
-# Package the server-side key and certificate
+# Package Server-side key and certificate
openssl pkcs12 -inkey server-key.pem -in server-cert.pem -export -out
server_certificate.p12
```
-:::info Note
-[reference
documents](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)
+:::tip Tip
+You can also modify the `conf/fe.conf` configuration file and add the
parameter `ssl_trust_store_type` to specify other certificate formats. The
default is PKCS12.
+:::
+
+:::info More Information
+For more information on generating self-signed certificates using OpenSSL,
please refer to the [IBM official
documentation](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl).
:::
\ No newline at end of file
diff --git a/versioned_docs/version-4.x/admin-manual/auth/certificate.md
b/versioned_docs/version-4.x/admin-manual/auth/certificate.md
index c3bd55e7b33..bf27e98318a 100644
--- a/versioned_docs/version-4.x/admin-manual/auth/certificate.md
+++ b/versioned_docs/version-4.x/admin-manual/auth/certificate.md
@@ -1,62 +1,136 @@
---
{
- "title": "MySQL Client Certificate",
+ "title": "MySQL Secure Transport",
"language": "en",
- "description": "Doris supports SSL-based encrypted connections. It
currently supports TLS1.2 and TLS1.3 protocols."
+ "description": "Learn how to configure SSL/TLS encrypted connections for
Apache Doris to protect data transmission security between MySQL clients and
Doris. Supports TLS1.2/1.3 protocols with two modes: one-way authentication and
mTLS mutual authentication."
}
---
-## Communicate with the server over an encrypted connection
+This document describes how to configure SSL/TLS encryption for communication
between Doris and MySQL clients to protect data transmission security.
-Doris supports SSL-based encrypted connections. It currently supports TLS1.2
and TLS1.3 protocols. Doris' SSL mode can be enabled through the following
configuration:
-Modify the FE configuration file `conf/fe.conf` and add `enable_ssl = true`.
+## Overview
-Next, connect to Doris through `mysql` client, mysql supports three SSL modes:
+Doris supports SSL-based encrypted connections, currently supporting TLS1.2
and TLS1.3 protocols. By enabling SSL, you can ensure that data transmission
between clients and Doris FE is encrypted, preventing data from being
intercepted or tampered with during transmission.
-1. `mysql -uroot -P9030 -h127.0.0.1` is the same as `mysql
--ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`, both try to establish an SSL
encrypted connection at the beginning, if it fails , a normal connection is
attempted.
+Doris provides two SSL authentication modes:
-2. `mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`, do not use SSL
encrypted connection, use normal connection directly.
+| Authentication Mode | Description | Use Case |
+|---------|------|---------|
+| One-way authentication (default) | Only validates server certificate |
General security requirements |
+| Mutual authentication (mTLS) | Validates both server and client certificates
| High security requirements |
-3. `mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`, force the use of SSL
encrypted connections.
+## Quick Start
->Note:
->`--ssl-mode` parameter is introduced by mysql5.7.11 version, please refer to
[here](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)
for mysql client version lower than this version。
-Doris needs a key certificate file to verify the SSL encrypted connection. The
default key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default
password is `doris`. You can modify the FE configuration file `conf/fe. conf`,
add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the
key certificate file, and you can also add the password corresponding to your
custom key book file through `mysql_ssl_default_certificate_p [...]
+Enable SSL encrypted connections in just two steps:
-Doris also supports mTLS:
-Modify the FE configuration file `conf/fe.conf` and add
`ssl_force_client_auth=true`.
+**1. Enable SSL functionality in FE**
-Then you can connect to Doris via the `mysql` client:
+Modify the FE configuration file `conf/fe.conf`, add the following
configuration, and restart FE:
-`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+```properties
+enable_ssl = true
+```
+
+**2. Connect using MySQL client**
+
+```shell
+mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1
+```
+
+Doris has built-in default key certificate files, so SSL functionality can be
used without additional configuration.
-The default ca, cert, and key files are located in
`Doris/conf/mysql_ssl_default_certificate/client_certificate/`, named `ca.pem`,
`client-cert.pem`, and `client-key.pem` respectively.
+## Client Connection Methods
-You can also generate your own certificate files using openssl or keytool.
+When connecting to Doris via MySQL client, you can choose the following SSL
modes:
-## Key Certificate Configuration
+| SSL Mode | Description | Command Example |
+|---------|------|---------|
+| PREFERRED (default) | Attempts SSL connection first, falls back to regular
connection if failed | `mysql -uroot -P9030 -h127.0.0.1` |
+| DISABLE | Disables SSL, uses regular connection | `mysql --ssl-mode=DISABLE
-uroot -P9030 -h127.0.0.1` |
+| REQUIRED | Forces SSL connection | `mysql --ssl-mode=REQUIRED -uroot -P9030
-h127.0.0.1` |
-Enabling SSL functionality in Doris requires configuring both a CA key
certificate and a server-side key certificate. To enable mutual authentication,
a client-side key certificate must also be generated:
+:::note Note
+The `--ssl-mode` parameter was introduced in MySQL 5.7.11. For MySQL clients
below this version, please refer to the [MySQL official
documentation](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html).
+:::
-* The default CA key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`, with a default
password of `doris`. You can modify the FE configuration file `conf/fe.conf` to
add `mysql_ssl_default_ca_certificate = /path/to/your/certificate` to change
the CA key certificate file. You can also add
`mysql_ssl_default_ca_certificate_password = your_password` to specify the
password for your custom key certificate file.
+## Configuring Mutual Authentication (mTLS)
-* The default server-side key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`, with a default
password of `doris`. You can modify the FE configuration file `conf/fe.conf` to
add `mysql_ssl_default_server_certificate = /path/to/your/certificate` to
change the server-side key certificate file. You can also add
`mysql_ssl_default_server_certificate_password = your_password` to specify the
password for your custom key certificate file.
+If you need a higher level of security, you can enable mTLS mutual
authentication, which requires clients to also provide certificates for
identity verification.
-* By default, a client-side key certificate is also generated and stored in
`Doris/fe/mysql_ssl_default_certificate/client-key.pem` and
`Doris/fe/mysql_ssl_default_certificate/client_certificate/`.
+### Enable mTLS
-## Custom key certificate file
+Modify the FE configuration file `conf/fe.conf`, add the following
configuration, and restart FE:
+
+```properties
+enable_ssl = true
+ssl_force_client_auth = true
+```
-In addition to the Doris default certificate file, you can also generate a
custom certificate file through `openssl`. Here are the steps (refer to
[Creating SSL Certificates and Keys Using
OpenSSL](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)):
+### Client Connection
-1. Generate the CA, server-side, and client-side keys and certificates:
+When connecting with mTLS, the client needs to specify the CA certificate,
client certificate, and private key:
```shell
-# Generate the CA certificate
+mysql --ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 \
+ --tls-version=TLSv1.2 \
+ --ssl-ca=/path/to/your/ca.pem \
+ --ssl-cert=/path/to/your/client-cert.pem \
+ --ssl-key=/path/to/your/client-key.pem
+```
+
+Doris provides default client certificate files located in the
`Doris/conf/mysql_ssl_default_certificate/client_certificate/` directory:
+
+| File Name | Description |
+|-------|------|
+| `ca.pem` | CA certificate |
+| `client-cert.pem` | Client certificate |
+| `client-key.pem` | Client private key |
+
+## Certificate Configuration Details
+
+Enabling SSL functionality in Doris requires configuring CA key certificates
and Server-side key certificates. If mutual authentication is enabled,
Client-side key certificates must also be configured.
+
+### Default Certificates
+
+Doris has built-in default certificate files that can be used directly:
+
+| Certificate Type | Default Path | Default Password |
+|---------|---------|---------|
+| CA Certificate | `Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`
| `doris` |
+| Server-side Certificate |
`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12` | `doris` |
+| Client-side Certificate |
`Doris/fe/mysql_ssl_default_certificate/client_certificate/` | - |
+
+### Custom Certificates
+
+To use custom certificates, add the following configuration to the FE
configuration file `conf/fe.conf`:
+
+**CA Certificate Configuration**
+
+```properties
+mysql_ssl_default_ca_certificate = /path/to/your/ca_certificate.p12
+mysql_ssl_default_ca_certificate_password = your_password
+```
+
+**Server-side Certificate Configuration**
+
+```properties
+mysql_ssl_default_server_certificate = /path/to/your/server_certificate.p12
+mysql_ssl_default_server_certificate_password = your_password
+```
+
+## Generating Custom Certificates
+
+If you need to use your own certificates, you can generate them using OpenSSL.
For detailed steps, please refer to the [MySQL official documentation: Creating
SSL Certificates Using
OpenSSL](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html).
+
+### Step 1: Generate CA, Server-side, and Client-side Keys and Certificates
+
+```shell
+# Generate CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem
-# Generate the server certificate and sign it with the above CA
+# Generate Server-side certificate and sign with the above CA
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
@@ -64,7 +138,7 @@ openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
-# Generate the client certificate and sign it with the above CA
+# Generate Client-side certificate and sign with the above CA
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
@@ -73,22 +147,28 @@ openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
```
-2. Verify the created certificates:
+### Step 2: Verify Certificates
```shell
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
```
-3. Combine your key and certificate in a PKCS#12 (P12) bundle. You can also
specify a certificate format (PKCS12 by default). You can modify the
conf/fe.conf configuration file and add parameter ssl_trust_store_type to
specify the certificate format.
+### Step 3: Package into PKCS#12 Format
+
+Merge the CA key and certificate, and Server-side key and certificate
separately into PKCS#12 (P12) format for use by Doris:
```shell
-# Package the CA key and certificate
+# Package CA key and certificate
openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12
-# Package the server-side key and certificate
+# Package Server-side key and certificate
openssl pkcs12 -inkey server-key.pem -in server-cert.pem -export -out
server_certificate.p12
```
-:::info Note
-[reference
documents](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)
+:::tip Tip
+You can also modify the `conf/fe.conf` configuration file and add the
parameter `ssl_trust_store_type` to specify other certificate formats. The
default is PKCS12.
+:::
+
+:::info More Information
+For more information on generating self-signed certificates using OpenSSL,
please refer to the [IBM official
documentation](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl).
:::
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
