Using SSL on MariaDB - how to get client .pem's?

Hi there,

I got a Synology NAS running MariaDB. I now want to secure the DB by using SSL.

To do so, I defined in the "my.cnf" of MariaDB:


But I also need to generate "client-cert.pem" and "client-key.pem". Unfortunately, I don't know how to do this. Can somebody help me so that I can successfully connect from a client to my MariaDB via SSL?

Thank you so much in advance.

Hi @edq37843, this isn’t a Let’s Encrypt issue but rather something specific to MariaDB. They want you to generate your own additional set of keys (locally on your own machine) for client authentication purposes. A tutorial related to this can be found at

If you have any trouble with that, you can probably find more detailed help in a MariaDB support forum.

Good luck!

1 Like

Hey, thanks for your reply.

However, it's rather a Let's Encrypt specific question because I don't know how to create client *.pems. I know that these three lines basically serve the purpose, but for self-signed certs:

$ openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
$ openssl rsa -in client-key.pem -out client-key.pem
$ openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

But how is it for LE? I don't have a "ca-key.pem". What would the shell commands be for LE? I got a 2048-RSA.


@edq37843, Let’s Encrypt isn’t going to sign your client certificates because there’s no way to verify their content (in the context of Let’s Encrypt’s automated processes). Let’s Encrypt can only sign your server certificates. (There’s a way to validate your control over the domain they refer to in an automated online process, but we don’t have a corresponding approach for the client certificates.)

So, you’ll still need to use self-signed certificates for the client certificate part of the process. A method for creating those self-signed certificates, including ca-key.pem, is included in the tutorial that I linked to.

One could argue that client authentication rarely needs a publicly-trusted CA for security; whoever operates the service that’s accepting the client certificates is in a position to check their validity, issue them, and accept them, without having any outside party in the loop. For example, if you’re the administrator of the MariaDB server, you know who the authorized users of the server are, and you can issue certificates to them that you can configure the server to accept. On the other hand, a lot of Internet services do like outsourcing identity management, so maybe we’ll see some kind of outsourced identity provider issuing TLS client certificates one day.

Although everything @schoen says is correct, I will say that technically I don’t believe anything forbids you from using certificates issued by Let’s Encrypt as client certificates in MariaDB. The problem is that since Let’s Encrypt only issues certificates for public DNS names on the Internet, each of your clients would need to control such a name, and ordinarily this will not be the case for a database client. So in practice operating your own CA will most likely be the way forward.

I am vaguely interested in building a less sophisticated public CA based on ACME and probably Boulder some day, and issuing client certificates on proof of control of an email address is the sort of role I was considering. Such a CA would not be trusted widely by existing software as Let’s Encrypt is, but it might be of some value, particularly as a cheaper alternative to the private CAs run by famous brand public CA companies like Entrust.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.